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Up  to  now  in  this  book,  we  have  defined  a  function  by  introducing  a  set  of 
nxioma.  Typically  theae  axioms  are  computationally  suggestive,  that  is,  they  have 
suggested  a  method  for  computing  the  function.  But  it  is  not  always  obvious  that 
the  axioms  define  the  function  we  intend.  From  these  axioms,  we  have  established 


properties  of  the  function  they  define  which  gives  us  some  assurance  that  that 


function  is  indeed  the  correct  one.  <T j 

For  example,  we  may  define  the  greatest-common-divisor  function  yrd(xi,X})  C 

by  the  axiont  (see  Section  [l]-u.U)  fk & 


For  example,  we  may  define  the  greatest-common-divisor  function  yrrf(.r  i ,  xj) 
by  the  axiom  (see  Section  (IJ-u  U) 


(V  mlefer  t\,  xj)  jcd(xi 


(•/  ** 
,  Xj)  =  {  tics 
l  tut  i 


» =  0 
*t 

gcd(*,,  rcra(xi,xj)) 


'I'ltia  axiom  is  computationally  suggestive,  but  it  is  by  no  means  obvious  that  the 
function  it  defines  is  in  fact  the  greatest  common  divisor. 


From  this  axiom,  however,  we  esn  prove  the  frrsftif'fomroo«>rfmsor  prop. 

erty 
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(V  integer  xj,  z2) 


gcd(xy,  Xi) -<a„  x\  and  gcd(xi,  Z2)  ^du  Xi 

and 

if  y  -<di«  *1  and  y  ;<*„  x2l 
then  y<itvgcd(x  1,  x2)  J 


(V  integer 


y) 


((  well-founded  induction  must  apply  to  tuples  of  different  sorts  as  in  §14.7  m- 
tuples  of  sort  i-obj  )) 


In  short,  gcd(xi,  z2)  is  the  “greatest”  nonnegative  integer  that  divides  both  ij 
and  x2,  where  “greatest”  means  greatest  with  respect  to  the  divides  relation  -<<tw 
This  property  does  not  suggest  a  computational  method,  but  it  does  describe  the 
behavior  we  expect  from  the  greatest-common-divisor  function. 


Although  both  of  these  are  sentences  in  the  theory  of  the  nonnegative  in¬ 
tegers,  we  regard  the  former  as  a  program,  because  it  describes  a  method  of 
computation,  and  the  latter  as  a  specification,  because  it  describes  the  intended 
behavior  of  the  program.  Up  to  now,  we  have  defined  our  functions  by  programs 
and  then  proved  that  they  satisfy  certain  specifications. 


In  this  chapter,  we  would  like  to  reverse  this  procedure.  We  now  suppose 
that  we  are  given  only  a  specification  and  try  to  derive  a  program  that  satisfies 
the  specification.  Thus  we  might  be  given  the  greetest-common-divisor  property 
as  a  specification  and  attempt  to  derive  the  computationally  suggestive  axiom  as 
a  program. 


As  another  example  {{  out?  )),  to  specify  the  quotient-remainder  program  in 
the  theory  of  the  nonnegative  integers,  we  might  be  given  the  quotient-remainder 
property 


if  not  (x2  =  0)  then 


H  =  x2  ■  zi  +  r2 
and 
*2  <  x2 


Here  zi  is  the  quotient  and  z2  the  remainder  of  dividing  x\  by  x2.  The  sentence 
specifies  the  behavior  of  the  program  only  for  the  case  in  which  the  divisor  r2  is 
not  zero;  otherwise  we  do  not  care  what  the  program  returns. 


From  this  specification  we  may  hope  to  derive  a  program  such  as  {{ less  space 
around  minus )) 


quot(x  1,  x2)  = 
and 

rem(zi,z2)  = 


(if  Zi  <  z2 
<  then  0 

[else  quci(xi  -  *2.  *2)  +  1 

{if  Xt  <  z2 
then  zi 

else  rem(zj  -  x2,  z2). 
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((  mention  program  transformation  here??  )} 

So  far,  are  have  used  the  deductive  tableau  system  only  to  establish  the 
validity  of  sentences.  In  this  chapter  we  extend  it  to  derive  programs  from  speci¬ 
fications  as  well. 


14.1  SPECIFICATIONS  AND  PROGRAMS 


In  this  section  we  are  a  little  more  precise  about  the  specifications  we  accept,  the 
programs  we  derive,  and  the  relationship  between  them. 

In  a  theory,  we  suppose  that  we  are  given  a  specification  sentence 

m  j], 

x  is  an  abbreviation  for  ii.ij,  .  . .  ,im,  the  input  variables  and  y  is  an  abbrevi¬ 
ation  for  ffi.jft,  . . .  , yn,  the  output  variables.  (We  use  the  semicolon  informally, 
instead  of  a  comma,  to  separate  the  input  and  output  variables.)  It  is  assumed 
that  there  are  no  free  variables  in  Q  other  than  ?  and  z. 

For  example,  the  specification  for  the  quotient-remainder  program  is  the 
sentence 


Q[x l,  *2,'  *1]  : 


inlejer(z)) 

and 

*i  and  zj  13 

and 

[1/  V<divXi  and 
[fAen  y  <div  J 


(V  integer  y) 


We  are  also  given  input  sorts  obj(z),  that  is, 
otjiCn),  obj7{zj),  ...,  obj„(zm), 


where  each  obji  is  a  unary  predicate  symbol,  which  characterizes  a  class  of  ele¬ 
ments  in  the  theory-  We  would  like  to  define  functions  f(x),  that  is,  /i(*),  fqfx),  .  ■ 
and  f„(x).  Each  function  /,  is  intended  to  be  applied-to  inputs!  =  *1,  *»,  . . . ,  xm, 
where  each  input  x ,  is  an  element  of  the  class  ob}t.  We  assume  that  the  function 
symbols  /  are  “new,"  in  the  sense  that  they  do  not  occur  so  far  in  the  vocabulary 
of  the  theory.  For  example,  for  the  quotient-remainder  program,  obj t  and  objt 
are  both  integer ,  and  f\  is  gcd. 


Availability  Codes' 


01st 


Avail  and/ or 
Special 
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We  define  the  functions  /  by  constructing  a  program  /*[*]  :  /(*)  =  t[r],  that 
is,  a  sentence 

/i(*)  =  <i[*] 

M*)  =  hi*}  anJ 

P\z]-. 


fn(x)  —  *n[*]i 

where  each  ty  [it]  is  a  term  containing  no  variables  other  than  x. 

For  example,  the  greaiest-common-iivuor  program  we  shall  define  is 

(if  *2  =  0 

gcd(zi,  *2)  =  f**en  *[ 

[else  ycd(*2,  rem(*i,  *2))- 

The  program  must  satisfy  the  specification,  in  the  sense  that  the  correctness 
condition 

if  (V7ijz)P[z\ 

then  (V  obj  /(*)] 

must  be  valid  in  the  theory.  Here  (V  obj  z)  is  an  abbreviation  for 

(V  o»Ji  *i)(V  obj j  *2) •  •  {V  objm  zm). 

For  example,  the  greatest-common  iitnsor  program  satisfies  the  specification 
in  the  sense  that  the  correctness  condition 

if  (V  integer  ti)P[*i,  *2] 

then  (V  integer  *lt  *2)2 [*1,  *2,  gcd(*i,  *2)] 

is  valid  in  the  theory  of  the  nonnegative  integers. 

In  any  theory,  there  are  some  symbols  that  are  in  the  basic  vocabulary, 
that  have,  been  defined  by  axioms  that  suggest  some  method  of  computation, 
or  that  define  functions  for  which  programs  have  already  been  derived.  These 
“primitive”  symbols  may  be  used  freely  in  a  program  sentence.  In  the  theory  of 
the  nonnegatiye  integers,  for  example,  the  constant  symbol  0  and  the  successor 
function  symbol  x  +  1  are  in  the  basic  vocabulary.  The  multiplication  function 
symbol  x  ■  y  and  the  less-than  predicate  symbol  x  <  y  have  been  defined  by 
computationally  suggestive  axioms.  Therefore,  0,  *  +  1,  *  -  y  and  *  <  y  are 
primitive  symbols  we  can  use  in  the  greatest- common-divisor  program. 
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On  the  other  hand,  there  are  symbols  that  denote  entities  we  do  not  know 
how  to  compute,  such  as  quantifiers  and  skolem  function  symbols.  These  “non- 
primitive”  symbols  may  occur  in  specifications  and  in  the  axioms  for  a  theory  but 
not  in  any  program. 

In  short,  to  ensure  that  the  programs  f(z)  =  i[z]  we  derive  are  actually  com¬ 
putationally  suggestive,  we  shall  require  that  only  primitive  constant,  function, 
and  predicate  symbols,  including  the  function  symbols  /  themselves,  may  occur 
in  the  terms  ?{z],  We  shall  define  primitivity  more  precisely  later. 


Remark  (single  input  or  output) 

In  the  case  in  which  the  program  has  only  one  input  or  only  one  output,  we 
shall  drop  the  subscript  and  write  z  or  r  instead  of  z\  or  z\ .  Thus,  in  the  above 
example  we  may  write  Q{z\,zr,  r]  instead  of  2j]. 


Example  (quotient-remainder)  ((  out?  )) 


In  the  theory  of  the  nonnegative  integers,  we  may  specify  the  quotient- 
remainder  program  by  the  sentence 


z2;  *i,  r2]  : 


if  not  (z2  =  0)  then 


integer(zi)  and  >nteger(z2) 
and 

zi  =  z2  ■  zi  +  z2 

and 

_zj  <  z2 


where  the  input  sorts  objl  and  obj2  are  both  integer.  Here  is  the  quotient  and 
z2  is  the  remainder  of  dividing  by  z2.  The  sentence  specifies  the  behavior  of 
the  program  only  for  the  case  in  which  the  divisor  z2  is  not  zero;  otherwise  we 
do  not  care  what  the  program  returns.  ((  out??  )) 


Using  the  extended  deductive-tableau  system,  we  shall  be  able  to  derive  the 
program 


quot(zi,  z2) 
*3]  :  and 

rem(z\,  z2) 


{ 


if  xi  <  z2 
then  0 

else  qtiot(z\  —  z2,  z2)  +  1 

if  zx  <~z2 
then  Z\ 

else  rem(z\  -  z2,  z2) 


((  less  space  around  minus??  )) 


8 


Chapter  14:  Program  Synthesis 


The  correctness  condition  in  this  case  is  the  sentence 
if  (V  integer  xu  x7)P{ xu  z2] 

then  (V  integer  x\,  z2)£[zi,  z2;  quot( Xi,  z2),  rem(zi,  z2)] , 

which  can  be  shown  to  be  valid  in  the  theory  of  the  nonnegative  integers.  Thus  the 
program  does  satisfy  the  specification.  It  also  contains  only  primitive  symbols. 


Example  (redhead) 

This  example  suggests  that  deriving  programs  may  have  applications  to 
“database  retrieval.”  We  outline  a  new  family  theory.  In  the  intended  inter¬ 
pretation  for  this  theory, 

person  (x)  is  the  person  relation  (“ x  is  a  person”) 

par(x,  y)  is  the  parent  relation  (“z  is  a  parent  of  y”) 

red(z)  is  the  redheadedness  relation  (“x  is  redheaded”). 

One  of  the  axioms  for  the  theory  is 

(V  person  u,  v)  \'J.  Pttr  (“■ w)  1 

[ then  not  par  (o,  «)J 

that  is,  the  parent  relation  is  asymmetric. 

We  are  given  the  specification  sentence 

if  psr(*i,  zj)  an i  par(z2,Z3)  and 
red(xi)  and  not  red(x3) 

Qi*i,  *i>  *i,  x2]  :  <Aen  person (xi)  and  person(x2)  and 

per(xi,  x2)  and 
red(xi)  end  not  red(x2), 

where  the  input  sorts  objl,  obj7,  and  obj3  are  all  person.  In  other  words,  if  x\  is 
a  grandparent  of  Za,  and  zi  is  redheaded  but  zj  is  not,  then  we  are  to  find  people 
zi  and  x2  such  that  Xi  is  a  parent  of  x2  and  xi  is  redheaded  but  xj  is  not.  We 
regard  all  three  predicate  symbols  as  primitive. 

The  redhead  program  we  are  to  derive  from  this  specification  is 
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P[xi,  *2,  *3)  : 


f «/  rerf(ij) 

rl(*i,  *],  ij)  =  <  then  13 
[ tilt  Xi 

and 

(if  red(x2) 

nrh(xit  x2,  x3)  =  ^  then  x3 
[  else  i2  . 


This  program  can  be  shown  to  satisfy  the  specification,  in  the  sense  that 


if  (V  person  *),  x2,  Z3)^[*i,  *2,  *3) 

then  (V  person  Xi,  x2,  x3)Q[xi,  x2,  x3\  rh(x ux2,x3),  nrh(x t,x2,x3)] 


is  valid  in  the  theory.  ^ 


The  derivation  of  this  program  will  be  given  later  in  the  chapter. 


PROGRAM  TRANSFORMATION 

Up  to  now,  we  have  been  considering  specifications  that  describe  a  relation  be¬ 
tween  the  inputs  and  outputs  but  do  not  suggest  any  method  of  computation. 
Sometimes,  however,  we  know  a  method  for  computing  the  function  and  want  to 
find  another,  perhaps  more  efficient  one.  This  is  known  as  program  transforma¬ 
tion.  The  same  extended  deductive-tableau  system  we  use  for  ordinary  program 
derivation  will  also  be  used  for  program  transformation. 


Example  (flattree) 

In  a  combined  theory  of  trees  and  strings  (Section  [1)8.4),  we  introduced  a 
function  flaitree(x)  to  form  a  string  from  the  atoms  of  a  given  tree  x.  The  function 
was  defined  by  the  following  pair  of  computationally  suggestive  axioms 

(V  atom  u)[/fa«ree(u)  =  u]  {atom) 

(V  free  u,  v)\flattrce(u*v)  =  ftattree(u) * ftattree(f)}  ( construction) 

- ^ — - - 

Suppose  we  would  like  to  discover  a  different  methocTTor  computing  the  same  func¬ 
tion.  Then  we  may  attempt  to  derive  a  program  flattreel(x),  whose  specification 
is  simply 


Q l[z;  *] :  z  =  flatiree(x),. 
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Our  input  sort  is  free. 

We  shall  be  able  to  derive  many  different  programs  to  meet  the  above  specifi¬ 
cation,  all  of  them  computing  the  same  flattree  function.  Some  of  these  programs 
will  use  the  computational  method  suggested  by  the  flattree  axioms;  others  will 
use  different,  perhape  more  efficient,  methods. 

The  derivation  of  the  flaitreel  program  is  facilitated  if  we  first  derive  a  pro¬ 
gram  flattree2(xi,zi)  to  form  a  string  from  the  atoms  of  a  given  tree  and 
concatenate  that  string  and  a  given  string  x 2.  The  specification  sentence  for 
flatireei  is 

*Jl  A  ■  *  =  flattree  (xi)  *  ij, 

Our  input  sorts  objl  and  obj }  are  tree  and  strin;  respectively. 

From  this  specification,  we  can  construct  a  program  sentence  such  as 

(if  atom(x 1) 
then  x\  •  ij 
else  flattree2{left(x\), 

flattree2(nght  (xi),i2)) 

This  program  satisfies  the  specification,  in  the  sense  that  the  correctness  condition 

«  out  )) 

then  **  j[/fo«rce2(zi,  Zj)  =  flattree  (x  1 )  *  x2 ] 

is  valid. 

Once  we  have  derived  the  program  for  flaitreei,  we  may  use  it  in  deriving  a 
program  for  flattreel.  The  program  we  obtain  is 

PI  4  flatireel(z)  =  flattree2(x,  A). 

The  computational  method  described  by  the  flattreel  and  flaitreei  programs 
turns  out  to  be  more  efficient  than  that  suggested  by  the  original  axioms  for 
flattree. 

This  derivation  will  be  presented  in  full  detail  later  in  the  chapter,  j 


THE  APPROACH 

Suppose  that  we  are  given  a  specification 


14.2  Output  Entries 
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fi[*;  *] 

with  input  sorts  obj ,  and  would  like  to  derive  a  program 

7  (*)  =  i[*l 

that  satisfies  this  specification.  We  shall  extend  the  deductive-tableau  system  so 
that  the  program  can  be  obtained  as  a  byproduct  of  proving  the  sentence 

(t)  (V  W  *)(3  *)fi(*;  1) 

In  other  words,  we  prove  the  existence  of  output  objects  r  satisfying  the  given 
specification  for  given  input  objects  z.  The  proof  must  indicate  a  method  for 
finding  the  desired  output  objects,  and  this  method  provides  the  computational 
basis  for  the  program  /(*)  =  t[*j  that  computes  the  output  objects. 

We  shall  now  discuss  how  the  deductive-tableau  system  can  be  extended  so 
that  programs  can  be  extracted  from  proofs. 


14.2  OUTPUT  ENTRIES 


Up  to  now,  a  deductive  tableau  has  had  two  columns,  one  for  assertions  and  one 
for  goals.  To  derive  a  program,  we  now  extend  our  tableaux  by  introducing  a 
number  of  output  columns. 

If  we  are  given  a  specification 

fi[*l . *m'.  *1.— .«■>] 

with  n  output  variables,  we  introduce  n  new  output  columns.  The  yth  output 
column  is  used  in  the  derivation  of  the  jtb  conjunct 

fj(x)  =  fj[x] 

of  the  desired  program.  It  is  labelled  fj (5),  where  5  =  oj.os . am  are  new 

constanta  called  the  input  constants.  For  any  row,  whether  it  contains  an  assertion 
or  a  goal,  the  output  columns  may  all  be  blank  or  may  each  contain  a  term  of  the 
theory,  callechan  output  entry.  The  output  entries  will  be  used  to  derive  programs 
from  specifications.  — 

We  shall  call  a  tableau  with  output  columns  an  extended  tableau,  in  contrast 
to  a  tableau  with  only  assertion  and  goal  columns,  which  we  shall  henceforth  call 
a  basic  tableau. 
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Example  (extended  tableau) 


The  following  is  an  extended  tableau  from  the  derivation  of  a  qvotient- 
rtmainier  program: 


assertions 

goals 

}U0t(0l,02) 

rem(ai  ,o2) 

not  (aj  =  0) 

mief er(z\)  and 
infs#er(r,) 

sad 

«1  =  Sj-tlf  *2 

sad 

sj  <  a} 

*i 

*2 

ti  0  =  0 

ai  <  flj 

0 

Oi 

0|  <  flj 

quot{a\  -  112,02)  +  1 

rem(a!  -  02,02) 

—  Tableau  Tt  — 


Here  the  assertions  *ot(a?  =  0)  and  u  0  =  0  have  no  output  entries;  the  other 
rows  all  do.  . 


SUITING  A  ROW 


We  have  given  the  meaning  of  the  assertions  and  goals  of  a  basic  tableau  by 
defining  its  truth  (under  an  interpretation)  and  validity  (in  a  theory).  The  same 
definitions  apply  to  extsndad  tableaux,  ignoring  the  output  entries.  To  give  the 
meaning  of  the  output  entries  themselves,  we  define  what  it  means  for  terms 
to  sail  s  tableau  (under  an  interpretation)  and  tatuft  a  tableau  (in  a  theory). 
Loosely  speaking,  the  terms  that  suit  a  tableau  will  denote  acceptable  outputs 
for  the  desired  program.  We  first  define  what  it  means  for  terms  to  suit  a  single 
row  of  a  tableau.  The  terms  that  suit  the  row  will  be  acceptable  outputs  when 
that  tow’s  assertion  is  false  (or  that  row’s  goal  is  true). 

In  the  definition  that  follows,  we  consider  a  row  of  a  tableau  with  an  assertion 
A  (or  goal  $]  and  output  entries  ?=  si,  ...,*„,  that  is, 
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We  consider  any  substitution  A  such  that  the  instances  A  A  [or  §  ■*  A]  and 
s+ A  are  cloeed,  that  is,  they  contain  no  free  variables.  According  to  the  definition, 
the  terms  s-»A  suit  the  row  under  an  interpretation  1  if  A  •»  A  is  false  [or  Q  ■•A  is 
true]  under  J.  But  let  us  be  more  precise. 

Definition  (terms  suit  row) 

Consider  a  row  of  a  tableau  containing  an  assertion  A  [or  goal  $].  Let 
I  =  tj.tj,  . . .  ,tn  be  closed  terms  and  J  be  an  interpretation.  We  shall 
say  that  the  terms  t  suit  the  row  under  I  if,  for  some  substitution  A,  the 
following  conditions  hold: 

♦  Truth  condition.  The  sentence  A  «  A  is  closed  and  false  under 
I  (or  the  sentence  $  ■*  A  is  closed  and  true  under  /]. 

•  Output  condition.  If  the  row  has  output  entries  s  =  si , *j,  .  . .  ,  sn, 
the  instances 

?■* A  =  s,  -«A,S2  -*A,  . . .  ,sn  *<A 

are  closed  and  have  the  same  values,  respectively,  as  t  =  tj ,  <j,  .  . .  ,  t„ 
under  J. 

We  shall  call  such  a  substitution  A  a  suiting  substitution. 


Remark  (rows  with  no  output  entries) 

The  onlpsf  condition  holds  vacuously  in  the  case  in  which  the  row  has  no 
output  entries.  In  other  words,  any  dosed  terms  t  will  suit  such  a  row,  provided 
there  is  some  ^substitution  A  for  which  A  ■*  A  is  false  [or  $  •»  A  is  true]  and  closed 
under  I.  __ 

When  it  is  convenient,  such  a  row  may  actually  be  treated  as  a  row  with 
output  entries 
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where  the  U,  are  distinct  variables  that  do  not  occur  free  elsewhere  in  the  row .  For 
if  the  closed  terms  i  suit  a  row  with  output  entries  u,  then  t  suit  the  corresponding 
row  with  no  output  entries  at  all,  with  the  same  suiting  substitution,  because  the 
output  condition  holds  vacuously.  And  if  t  suit  a  row  that  has  no  output  entries, 
with  suiting  substitution  A,  then  1  suit  the  corresponding  row  with  output  entries 
u,  with  suiting  substitution 

{ui  —  u2  —  t  j,  u„  *-  („}  □  A. 

Here  □  is  the  composition  function  for  substitutions. 

By  the  same  token,  we  may  find  it  convenient  to  treat  a  row  whose  output 
entries  u  are  all  distinct  variables  that  do  not  occur  free  elsewhere  in  the  row  as 
a  row  without  output  entries  at  all. 

Let  us  now  illustrate  the  new  definition. 


Example  (suiting  a  row) 

The  following  ((  ??  above?  ))  extended  tableau  Tj  is  obtained  from  a  deriva¬ 
tion  of  the  rtdhead  program  described  in  an  earlier  example. 

Let  Jr  be  any  model  for  the  theory  under  which 

red(aj)  is  true, 

that  is,  ai  is  a  redheaded  person,  and  under  which  assertion  1  is  true,  that  is, 
par(<n,ai),  par (03,03),  red(<ii),  and  not  redjos)  are  all  true.  In  other  words, 
is  a  parent  of  aj,  03  is  a  parent  of  03,  and  01  is  redheaded  but  03  is  not. 

Under  this  interpretation,  the  two  closed  terms 

t  :  a3,  a3 


suit  row  5, 


5.  red(a 3) 

<*2 

03 

which  has  no  free  variables.  To  show  this,  we  may  take  the  suiting  substitution 
A  to  be  the  empty  substitution  {  }.  The  truth  condition  holds  under  IT}  because 
the  instance  of  the  goal,  $  -*A,  is 

red(oj), 

which  is  true  under  IT.  (In  this  discussion,  we  shall  use  A  or  Q  to  stand  for  the 
assertion  or  goal  of  the  row  under  discussion.)  The  o»ip*i  condition  also  holds, 
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assertions 

goals 

rh(a1:  a2) 

nrh  (oi,  02) 

.  1.  par (01,03)  and 
par (02,03)  and 
red(ai)  and 
not  red(o3) 

2.  par  (21,23)  and 
red(ri)  and 
not  red(zj) 

Zi 

3.  if  par(u,v) 

then  notpar(v,u) 

4.  not  red(a2) 

til 

02 

5.  redjoa) 

(»2 

6.  true 

if  red(a2) 
then  02 
else  a] 

if  r ed(a2) 
then  a3 
else  02 

—  Tableau  7j  — 


because  the  corresponding  instances  of  the  output  entries,  a2  •«  A  and  a3  ••  A,  are 
precisely  the  same  as  the  closed  terms  t:02,  03. 

Under  the  same  interpretation,  the  same  closed  terms  t  :  02,  a3  also  suit  row 

2, 


2.  par  (2t ,  22)  and 

m 

red(2i)  and  not  red(zj) 

which  does  have  free  variables.  To  show  this,  we  take  the  suiting  substitution  A 
to  be 


{21  —  aj,  zi  i~  oj}. 

The  truth  condition  holds  under  Ir,  because  the  instance  of  the  goal, 

pdr(a j,  03)  and 
red(aj)  and  not  red(as), 

which  is  true  under  lr.  The  output  condition  holds,  because  the  corresponding 
instances  of  the  output  entries,  n  <A  and  zj  <A,  are  precisely  the  same  as  the 
closed  terms  t:ai,  a3. 
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The  same  closed  terms  t :  a3,  a3  also  suit  row  6, 


if  reJ(aj) 

if  red(ai) 

6.  true 

then  ai 

then  a3 

else  ai 

else  ap 

under  JT.  To  show  this,  we  take  the  suiting  substitution  to  be  the  empty  substitu¬ 
tion  {  }.  The  truth  condition  of  course  holds,  because  any  instance  of  the  goal  true 
is  true  under  Jr.  The  output  condition  also  holds;  although  the  corresponding 
instances  of  the  output  entries, 

if  red(aj)  if  red(aj) 

then  aj  and  then  a3 

else  ai  else  a2, 

are  not  identical  to  t:a3,  as,  they  have  the  same  values  under  Ir,  because  red{ai) 
is  true  under  1T 

By  the  same  reasoning,  the  closed  terms 

if  red(aj)  if  red(ai) 

t  :  then  as  and  then  as 

else  ai  else  a2, 

also  suit  row  6  under  lr,  for  these  terms  are  identical  to  the  output  entries  for 
this  row.  In  fact,  these  terms  also  suit  rows  2  and  5  under  lr. 

{(  remaining  examples  out??  )) 

Let  I„  be  any  model  for  the  theory  under  which 

red(a2)  is  false, 

that  is,  as  is  not  a  redheaded  person,  and  under  which,  as  in  Jr,  assertion  1  is 
true,  that  is,  p*r(ai,0]),  per  (a3,  a3),  red(ai),  and  not  red(a3)  are  all  true.  Under 
this  interpretation,  the  two  closed  terms 


1 :  0\ ,  Oj 

suit  rows  4  and  2 


4.  not  red(ai) 

ai 

aj 

2.  par(zi,  zj)  and 

red(ti)  and  not  rtd(zj) 

Hi 

*a 

To  show  this  ((  out??  )),  we  take  the  suiting  substitution  A  to  be  {  }  and 
{*i  •-  oi,  z*  *-  aj}, 
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respectively.  The  same  terms  t:  ai ,  aj  can  be  shown  to  suit  row  6 


if  rei(a2) 

if  red(aj) 

6.  true 

then  <*2 

Men  as 

else  at 

else  a; 

under  J„. 


We  can  also  show  that  the  terms 

if  red(a j)  if  rtifa) 

i :  then  a 2  and  Men  03 

else  ai  else  aj, 

suit  rows  2,  4,  and  6  under  I„.  In  fact,  these  terms  have  the  same  value  as  at 
and  a-i  under  J„,  because  re [((02)  is  fadse. 


Let  J0  be  any  model  for  the  theory  under  which  assertion  1 , 


1.  par(ai,aj)  and  par  (a?,  03)  and 
red(ai)  and  not  red(as) 

is  false.  Then  any  closed  terms  t  suit  this  row  under  Jo-  To  show  this,  we  take 
the  suiting  substitution  to  be  {  }.  The  (niM  condition  holds  under  Jo,  because 
the  instance  of  the  assertion,  A  ■«  A,  is  A  itself,  which  is  closed  and  false  under  J0. 
The  output  condition  holds  vacuously,  because  this  row  has  no  output  entries. 

Suppose  J  is  any  interpretation  under  which  some  instance 

[>/  por(u,e) 

[Men  not  par(v,u] 

of  the  asymmetry  axiom  in  row  3, 


3.  if  par( u,v) 

then  not  par  (w,  u) 


for  the  paren^  relation  is  false.  (Consequently  J  is  not  a  model  for  the  theory.) 
Then  any  closed  terms  t  suit  row  3,  under  J.  Taking  the  suiting  substitution  to 
be  A  itself,  we  see  that  the  (rsM  condition  holds,  because  A  e  A  has  been  assumed 
to  be  false  under  J.  The  output  condition  holds  vacuously,  because  the  row  has 
no  output  entries.  {(  explain  purpose  of  examples?  ))  j 
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Remark  (true  assertions) 

Suppose  I  is  any  interpretation  under  which  no  closed  instance  A*  A  of  the 
assertion  A  is  false  [or  no  closed  instance  of  the  goal  $  is  true].  Then  no  closed 
terms  t  suit  the  assertion  A  [or  the  goal  §\  under  I  because  the  truth  condition 
cannot  hold.  In  particular,  if  A  is  valid  in  a  theory,  no  closed  terms  t  can  suit  the 
assertion  A  under  a  model  for  the  theory.  ^ 


SUITING  A  TABLEAU 

We  can  now  say  what  it  means  for  terms  to  suit  an  entire  tableau,  rather  than  a 
single  row,  under  an  interpretation. 

Definition  (terms  suit  tableau) 

Let  T  be  a  tableau,  t  =  ti.tj,  . . .  ,t„  be  closed  terms,  and  I  be  an 
interpretation.  We  shall  say  that  the  terms  t  suit  the  tableau  T  under 
■I  if  t  suit  some  row  of  T  under  I. 


Example  (suiting  a  tableau)  ((  Marianne:  too  many  examples  )) 

Let  us  refer  back  to  the  tableau  Tj  of  the  preceding  example,  from  the  deriva¬ 
tion  of  the  redhead  program. 

We  have  seen  that  the  closed  terms 

t :  oj,  ns 

suit  the  rows  2,  5,  and  6  under  the  interpretation  Jr,  in  which  02  is  redheaded. 
Therefore,  these  terms  suit  the  entire  tableau  under  7r . 

Also,  the  terms 

?:  at,  a, 

suit  the  rows  2, 4,  and  6  under  the  interpretation  I„ ,  in  which  a?  is  not  redheaded. 
Therefore,  these  terms  suit  the  entire  tableau  under  In. 

It  can  be  shown  that  a*  and  aj  do  not  suit  the  tableau  under  that  is, 
they  do  not  suit  any  row  under  this  interpretation.  Similarly,  at  and  02  do  not 
suit  the  tableau  under  Ir. 
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We  have  also  seen  that  the  terms 

if  red(aj)  if  reifaj) 

t  :  the n  aj  and  then  as 
else  ai  else  aj 

suit  the  rows  2,  S,  and  6  under  the  interpretation  Ir.  Therefore,  these  terms  suit 
the  entire  tableau  under  Ir.  These  same  terms  suit  the  rows  2,  4,  and  6  under 
I„;  therefore,  they  suit  the  entire  tableau  under  Jn. 


SATISFYING  A  TABLEAU 

Finally,  we  can  say  what  it  means  for  terms  to  satisfy  a  tableau  for  a  given  theory. 
By  discovering  closed  terms  that  satisfy  the  appropriate  tableau,  we  shall  be  able 
to  construct  a  program  that  satisfies  a  given  specification. 

Definition  (terms  satisfy  tableau) 

Let  T  be  a  tableau,  and  t  =  be  closed  terms. 

In  a  given  theory,  the  terms  t  satisfy  the  tableau  T  if  t  suit  T  under 
every  model  for  the  theory. 


Example  (satisfying  a  tableau) 

Consider  once  more  the  tableau  7j  from  the  derivation  of  the  redhead  pro¬ 
gram.  We  claim  that,  in  the  family  theory  described  earlier,  the  terms 

if  red(a3)  if  red(oj) 

t  :  then  aj  and  then  as 

else  ai  else  aj 

satisfy  this  tableau.  For  consider  any  model  I  for  the  theory;  we  show  that  t  suit 
the  tableau  under  J.  We  distinguish  among  three  cases. 

•  If  ' 

rei(oj)  _ 

and 

psr(ai,  as)  and  par  (a2,  as)  and 
red(ai)  and  not  red  (as) 
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ate  both  true  under  I,  we  have  seen  that  the  terms  t  suit  the  rows  2,  5, 
and  6.  Since  they  suit  a  least  one  row,  they  suit  the  entire  tableau. 

*  If 

not  red(aj) 

and 

par (dj,  aj)  and  par(aj,  03)  and 
red(a  1)  and  not  red(as) 

are  true  under  I ,  we  have  seen  that  the  terms  t  suit  the  rows  2,  4,  and 
6,  and  hence  the  entire  tableau. 

•  Finally,  if 

par  (aj,  03)  and  par  (aj,  a3)  and 
nrd(ai)  and  not  rcd(a3) 

is  false  under  I,  we  have  seen  that  any  terms  will  suit  row  1,  and  hence 
the  entire  tableau. 

These  three  cases  exhaust  all  possibilities.  Therefore,  t  suit  the  tableau  under 
I,  as  we  wanted  to  show. 


14.3  PROPERTIES  OF  EXTENDED  TABLEAUX 

The  properties  we  have  established  for  banc  deductive  tableaux  carry  over  to  ex¬ 
tended  tableaux.  In  particular,  the  duality,  instantiation,  and  renaming  properties 
of  basic  tableaux  all  have  their  counterparts  for  tableaux  with  output  entries.  We 
begin  by.  adapting  the  notion  of  equivalence  to  extended  tableaux. 

Definitica  (equivalence) 

In  a  theory,  two  tableaux  T  and  T'  are  equivalent  if,  for  any  model  I 
for  the  theory, 

T  is  true  under  I 
precisely  when 
T'  is  true  under  I 
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and,  for  any  closed  terms  t , 

t  suit  T  under  I 
precisely  when 
I  suit  T'  under  I.  . 


Sometimes  the  notion  of  equivalence  is  too  strong.  We  introduee  a  weaker 
notion,  that  of  two  tableaux  having  the  “same  meaning.”  ' 


Definition  (same  meaning)  ((  out?  ))  ((  later?  ))  ((  example?  )) 

In  a  theory,  two  tableaux  T  and  T'  have  the  same  meaning  if 

T  is  valid  in  the  theory 
precisely  when 
T'  is  valid  in  the  theory 

and,  for  any  closed  terms  t, 

t  satisfy  7  in  the  theory 
precisely  when 

t  satisfy  T'  in  the  theory.  . 

•J 

It  is  clear  that  if  two  tableaux  are  equivalent,  they  have  the  same  meaning. 

We  can  now  state  the  three  properties  as  they  are  adapted  for  extended 
tableaux. 


DUALITY 

The  ifaaliiji  property  states  that  we  can  move  sentences  freely  between  the  asser¬ 
tion  and  goal  columns  simply  by  negating  them,  obtaining  an  equivalent  tableau. 

Property  (duality) 

In  a  theory, 

•  A  tableau  containing  an  assertion  A  with  output  entries  s  [or 
none] 


is  equivalent  to 
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the  tableau  containing  instead  the  goal  (not  A)  with  the  same 
output  entries  s  [or  none] . 

•  A  tableau  containing  a  goal  §  with  output  entries  s  [or  none] 
is  equivalent  to 

the  tableau  containing  instead  the  assertion  (not  g)  with  the 
same  output  entries  s  [or  none] . 

The  justification  is  straightforward ,  but  we  present  it  to  give  the  definitions 
some  exercise. 

Justification  (duality) 

We  show  only  the  first  part.  Let  I  be  any  model  for  the  theory  in  question. 
Let  T  be  the  tableau  with  the  assertion  A  and  output  entries  a  [if  any],  and  T' 
be  the  tableau  with  the  goal  (not  A)  and  output  entries  a  [if  any]  instead.  By  the 
dmaktj  property  for  basic  tableaux,  we  know  that  T  is  true  under  J  if  and  only 
if  T'  js  true  under  I. 

Suppose  that  the  closed  terms  1  suit  T  under  I ;  then  they  suit  some  row  of 
T  under  J.  If  that  row  is  not  that  of  the  assertion  /,  then  the  row  also  occurs  in 
T',  so  the  terms  1  also  suit  T'  under  I. 

In  the  case  in  which  f  suit  the  assertion  A  itself  under  J,  we  know  that  there 
is  a  suiting  substitution  A  such  that  the  truth  condition  holds,  that  is, 

A  w  A  is  closed  and  false  under  J, 

and  the  output  condition  holds,  that  is, 

(f)  the  instances  a  <  X  of  the  output  entries  [if  any] 

are  closed  and  have  the  same  values,  respectively,  as  t  under  I . 

From  the  truth  condition,  we  have 

(|)  .  (not  A)*A'is  closed  and  true  under  1. 

Hence  (by  (f)  and  (}))  the  terms  t  suit  the  goal  (not  A)  in  the  tableau  T' ,  with 
suiting  substitution  A,  and  therefore  suit  the  tableau  T  itself. 

Similarly*  we  can  show  that,  if  closed  terms  f  suit  T'  under  J,  they  also  suit 
T  under./-  Hence  T  and  T'  are  equivalent. 
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RENAMING 

The  renaming  property  states  that  we  may  systematically  rename  the  free  vari¬ 
ables  of  any  row,  obtaining  an  equivalent  tableau.  Recall  that  a  permutation 
substitution  is  one  that  always  replaces  distinct  variables  with  distinct  variables 
{(  Section  6.8??  )).  Permutation  substitutions  have  inverses;  in  fact,  *■  is  a  per¬ 
mutation  substitution  if  and  only  if  there  is  a  permutation  substitution  s'1  such 
that 


*□*-*  =  {  }. 


Property  (renaming) 

In  a  theory,  for  any  permutation  substitution  *, 

a  tableau  containing  an  assertion  [or  goal]  7  with  output  entries 
s  [or  none] 

is  equivalent  to 

the  tableau  containing  instead  the  assertion  [or  goal]  7  -*r  with 
the  output  entries  ?■«*  [or  none],  ^ 


Justification  (renaming) 

Let  1  be  any  model  for  the  theory  in  question,  and  let  v  be  any  permutation 
substitution.  We  consider  only  the  assertion  case.  Let  T  be  the  tableau  with 
the  assertion  7  and  output  entries  *  [or  none],  and  T'  be  the  tableau  with  the 
assertion  7 -  x  and  output  entries  »-*x  [or  none]  instead.  By  the  renaming  prop¬ 
erty  for  basic  tableaux,  we  know  that  T  is  true  under  I  if  and  only  if  T'  is  true 
under  I . 

Suppose  the  closed  terms  t  suit  T  under  I.  Then  they  suit  some  row  of  T 
under  I.  If  that  row  is  not  the  assertion  7,  then  the  row  also  occurs  in  T',  so 
the  terms  t  also  suit  T'  under  J. 

Suppose  the  terms  t  suit  the  assertion  7  under  I.  Then  for  some  suiting 
substitution  A,  we  have  the  truth  condition, 

7  -u\  is  closed  and  false  under  J,  _ 

and  the  output  condition, 

the  instances  ?-«A  of  the  output  entries  [if  any]  are  closed 

and  have  the  same  values,  respectively,  as  f . under  I . 
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Suppose  x_1  is  the  inverse  of  x.  Then  x  □  x-1  =  {  }  ((  out??  ))  ({  mentioned 
earlier?  )) ,  and  we  have  (by  properties  of  substitutions) 

/-A  =  (/•*{  })  ■"A  3  (MxDr‘))iA  =  ((r^x)^x->)^A 

=  (/-.x)«.(x-‘DA) 

and,  if  there  are  output  entries  s, 

s«A  =  (*■»{  })  -*A  =  (•-•(xDx-1))^^  =  ((s -«  x)  ■<  x~ 1 )  ■«  A 

=  (5-<x)-«(x-1  QA). 

Consequently  (by  the  fruM  and  output  conditions), 

(/ -»x)  -*(x_1  □  A)  is  closed  and  false  under  I 

and 

(l<x)  •<(x-1  □  A)  are  closed  and  have  the  same  values,  respectively, 
as  t  under  I. 

In  other  words,  the  terms  t  suit  the  assertion  /  ■*  x,  with  suiting  substitution 
x'1  Q  A,  and  therefore  suit  the  tableau  itself. 

Similarly,  we  can  show  that,  if  closed  terms  t  suit  T'  under  I ,  they  also  suit 
T  under  J.  ({  exercise??  )).  Hence  T  and  T'  are  equivalent,  j 


INSTANTIATION 

The  uutantistian  property  states  that  we  may  add  to  the  tableau  any  instance 
of  any  of  its  rows,  obtaining  an  equivalent  tableau. 

Property  (instantiation) 

In  a  theory,  for  any  substitution  0, 

a' tableau  containing  an  assertion  [or  goal]  7  with  output  entries 
7  [or  none] 

is  equivalent  to 

the  tableau  containing  in  addition  the  assertion  (or  goal]  7  +0 
with  the  output  entries  7*9  [or  none],  j 
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Note  that,  in  the  duality  and  rtna.mng  properties,  we  replaced  one  row  with 
another;  in  this  instantiation  property,  we  add  a  new  row  but  do  not  remove  the 
original  one.  ((  The  justification  is  left  as  an  exercise?  )) 


Justification  (instantiation) 

Let  I  be  any  model  for  the  theory  in  question,  and  let  $  be  any  substitution. 
We  consider  only  the  assertion  case. 

Let  T  be  a  tableau  with  the  assertion  7  and  output  entries  *  [or  none],  and 
T'  be  the  tableau  with  the  assertion  7  -*6  and  output  entries  t<6  [or  none]  in 
addition.  By  the  tnsfanfiafion  property  for  basic  tableaux,  we  know  that  T  is 
true  under  I  if  and  only  if  T'  is  true  under  J. 

Suppose  that  the  closed  terms  t  suit  T  under  I.  Since  every  row  in  T  is  also 
in  T',  we  know  that  t  also  suit  T'  under  I. 

Suppose,  on  the  other  hand,  that  the  closed  terms  t  suit  T'  under  I.  Then 
they  suit  some  row  of  T'  under  I.  If  that  row  is  not  the  assertion  7  -*0,  then  the 
row  also  occurs  in  T,  so  the  terms  t  also  suit  T  under  1 

Suppose  the  terms  t  suit  the  assertion  7  ■»$  in  T'  under  I  Then,  for  some 
suiting  substitution  A,  we  have  the  truth  condition, 

(/ -*0)  w  A,  that  is,  7  -*(0  DA),  is  closed  and  false  under  I, 
and  the  output  condition, 

the  tetms  (sw0)  wA  =  *•*(0 Q  A)  are  closed  and  have  the  same  values, 

respectively,  as  t  under  J. 

Hence  the  terms  (  suit  the  assertion  7  in  T,  with  suiting  substitution  0Q  A,  and 
therefore  suit  the  tableau  T  itself. 

Hence  T  and  T'  are  equivalent.  ^ 


\ 

VALID  ASSERTION 


The  valid-assertion  property  states  that  we  may  add  any  valid  assertion  to  a 
tableau,  obtaining  an  equivalent  tableau. 


26 


Chapter  14:  Program  Synthesis 


Property  (valid  assertion) 

Id  any  theory,  for  any  valid  sentence  A, 

a  tableau  T 
is  equivalent  to 

the  tableau  T'  obtained  from  T  by  adding  the  assertion  A. 


Justification  (valid  assertion) 

{(  easy?  exercise  )) 

Let  I  be  any  model  for  the  theory  in  question.  That  T  is  true  under  1 
precisely  when  T'  is  true  under  I  follows  from  properties  of  basic  tableaux 

Suppose  the  closed  terms  t  suit  T  under  I.  Since  every  row  of  T  is  also  a 
row  of  T\  we  know  that  (  also  suit  T'  under  I. 

Suppose,  on  the  other  hand,  that  the  closed  terms  t  suit  T'  under  I  Then 
they  suit  some  row  of  T'  under  I.  That  row  cannot  be  the  assertion  A,  because, 
as  mentioned  in  a  previous  remark,  no  terms  can  suit  a  valid  assertion  of  the 
theory;  therefore  t  must  suit  one  of  the  original  rows  of  T.  That  is,  (  suit  T 
under  I. 


OUTPUT  ENTRY 

The  onipmt  entry  property  is  the  one  we  use  to  relate  the  output  entries  of  tableaux 
with  the  specifications  of  programs. 


Property  (output  entry) 

In  shy  theory,  if  the  closed  terms  t[3]  satiety  a  tableau 


assertions 

goals 

m 

- — 

2 

where  3  are  new  constants  and  z  are  the  only  free  variables  in  *[*,51, 
then  the  sentence 

(V*)*[3;  t(3]) 
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is  valid  in  the  theory. 

Let  us  illustrate  the  property. 


Example  (output  entry  property) 

In  the  theory  of  trees,  suppose  we  establish  that  the  closed  term  ai  •  03  suits 
the  tableau 


assertions 

goals 

Mai,  03) 

ai  =  left  (r)  and  03  =  right  ( z )  j 

z 

Then,  by  the  output  entry  property,  we  know  that  the  sentence 

(V  z\,  =  left{xi  txj)  and  i2  =  right  (i]  •  13)] 

is  valid  in  the  theory  of  trees. 


Justification  (output  entry) 

Suppose  that  the  closed  terms  t[a]  satisfy  the  above  tableau.  To  show  that 
(Vx)J?[x;  f[x]]  is  valid  (in  the  theory),  it  suffices  (by  the  universal  quantifier- 
ehmination  proposition)  to  show  that 

*[o;  t|a]] 

is  valid,  since  a  are  new  constants.  Consider  an  arbitrary  model  I ;  we  show  that 
(*)  *Ml5]]  is  true  under  I . 

Because  t[a]  satisfy  the  above  tableau,  they  suit  the  sole  row  of  the  tableau 
under  I .  In  other  words,  for  some  suiting  substitution  A,  we  have  the  truth 
condition, 

X(a;  7]  «A  is  closed  and  true  under  I, 
and  the  output  condition 

z  A  are  closed  and  have  the  same  values,  respectively, 
as  <[5J  under  I . 

Because  7  are  all  the  free  variables  of  J5[a;z],  this  means  that 
.?  [5;  7  •<  A]  is  true  under  I, 
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or,  equivalently  (by  the  output  condition), 
j?[a;([n]]  is  true  under  I. 

But  this  is  the  condition  («)  we  wanted  to  show. 

((  example  )) 

Now  that  we  have  established  the  properties  of  extended  deductive  tableaux, 
we  are  ready  to  show  how  tableaux  may  be  used  for  program  derivation. 

14.4  THE  DERIVATION  PROCESS 

Let  us  review  the  problem  of  program  derivation.  We  are  given  a  specification 

fl[S  *1 

in  a  theory,  with  input  sorts  obj ,  and  we  would  like  to  derive  a  program 

7(x)  =  *[z] 

that  satisfies  this  specification,  fn  otfn  r  words,  we  want  to  find  terms  t[x)  such 
that  the  correctness  condition 

i /  (V  obj  Z)[7(S)  =  <[z]j 

then  (V  nbj  x)2(x;  J(z)] 
is  valid  in  the  theory. 

THE  INITIAL  TABLEAU 

Our  approach  is  to  prove  the  theorem 
(V  ob)  z)( 3  z)Q[x-,  z] 

and  obtain  the  terms  ( [?]  as  a  byproduct  of  the  proof  process. 

This  sentence  is  an  abbreviation  (using  the  relative  quantifier  notation)  for 
'/  °bj{x) 

then  (3  r)j 
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We  shall  actually  establish  tile  skolemized  form  of  this  sentence, 


2-[a;  s] : 


> /  °b(a) 
then  Q[a\l], 


where  «  =  ,  am  are  “new”  constants,  i.e.,  constants  that  do  not  already 

occur  in  the  vocabulary  of  the  theory. 


At  the  same  time,  we  shall  derive  the  desired  terms  7[a]  using  the  output 
columns  of  the  tableau.  For  this  purpose,  we  establish  the  validity  of  a  particular 
“initial  tableau.” 


Definition  (initial  tableau) 


For  a  given  specification  fi[x;  r]  in  a  theory,  with  input  sorts  obj ,  an 
initial  tableau  is  as  follows: 


assertions 

goals  |  /(a) 

•/  °b(a)  1  - 

th en  C[a;c]  | 

The  skolem  constants  a  arc  called  the  input  constants.  Note  that  this 
tableau  has  n  output  columns,  one  for  each  output  variable  7=  ^2, 


An  initial  tableau  may  also  contain  as  assertions  any  valid  sentences  of 
the  t  heory  in  question,  without,  output  entries. 


The  initial  tableau  has  an  important  property,  expressed  in  the  following 
result. 


Proposition  (initial  tableau) 

In  any  tl\eory. 

if  the  closed  terms  7(a)  satisfy  the  initial  tableau  for  a  specification, 
then  the  program  /(7)  =  7(7]  satisfies  the  specification. 
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Proof 

Assume  that,  in  a  theory,  the  closed  terms  t[o]  satisfy  the  initial  tableau 
for  the  specification  Q[x;  z],  with  input  sorts  obj.  We  show  that  the  correctness 
condition 

if  (V  obj  x)  j/(z)  =  <[*]] 
then  (V  obj  x)Q[ x,  /(if)] 
is  valid  in  the  theory. 

Assume  that  (under  a  given  model) 

(»)  (V  otj  x)[f{x)  =  t[z]] 

is  true.  We  show  that  then 

(V  obj  x)Q\xJ(x)] 

is  also  true. 


It  suffices,  by  our  assumption  (*),  to  show  that 
(V  obj  x)2[x;  f(x]], 

that  is  (expanding  the  relativized  quantifier), 


(Vx) 


tf  obj(x) 
then  Q  [z;  t(5?)] 


is  true.  By  the  output  entry  property,  to  show  that  the  above  sentence  is  actually 
valid,  it  suffices  that  the  closed  terms  i[o]  satisfy  the  tableau 


goals 

if  obj(a) 
then  fi[a;z) 


/(a) 


The  valid- assertion  property  allows  us  to  add  any  valid  sentences  of  the  theory  to 
this  tableau  as  assertions,  without  changing  the  satisfying  terms.  In  other  words, 
it  suffices  that  the  closed  terms  t[a]  that  satisfy  the  initial  tableau,  as  we  have 
assumed .  , 
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Example  (flattreel) 

In  our  example  of  program  transformation  (Section  ??),  we  specified  the 
program  ftaitreel,  which  computes  the  flaitne  function,  with  the  sentence 

Ql[x,  z]  :  z  =  flattree(x) 


in  a  combined  theory  of  trees  and  strings,  where  the  input  sort  is  tree. 
The  initial  tableau  is  thus 


assertions 

goals 

flattreel(a) 

if  tree(a) 

then  z  =  flattree(a) 

z 

Properties  of  the  combined  theory  of  trees  and  strings  may  be  included  in  the 
initial  tableau  as  assertions.  , 


PRIMITIVE  EXPRESSIONS 


We  have  mentioned  that  some  symbols  are  “primitive” ;  they  denote  objects,  func¬ 
tions,  or  relations  we  know  how  to  compute.  Other  symbols,  such  as  quantifiers 
and  some  skolem  functions,  are  “nonprimitive” ;  we  do  not  know  how  to  compute 
what  they  denote.  We  shall  assume  that  at  the  beginning  of  each  derivation  we 
are  given  a  list  of  primitive  constant,  function,  and  predicate  symbols,  called  the 
primitive  Itst.  Typically  this  list  shall  include  the  truth  symbols  true  and  false,  the 
propositional  connectives,  the  term  constructor  if-thcn-clsc,  the  basic  constant, 
function,  and  predicate  symbols  of  the  theory,  and  any  symbols  that  have  been 
defined  by  computationally  suggestive  axioms.  In  addition,  we  may  include  in  the 
primitive  list  any  function  symbols  for  which  we  have  already  derived  programs. 

We  may  now  define  a  primitive  expression  as  follows: 

We  define  an  expression  e  to  be  primitive  in  a  given  initial  tableau,  if  each 
symbol  that  occurs  in  e  is  a  variable,  an  element  of  the  primitive  list,  or  one  of 
the  input  constants  5.  For  example,  for  the  flattre72  derivation,  the  term 

if  atom(ai)  then  a\  *  02  else  z 


is  primitive. 
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INTERMEDIATE  TABLEAUX 

When  we  are  establishing  the  validity  of  a  basic  tableau,  we  apply  deduction 
rules  that  add  new  rows  but  preserve  validity,  until  we  obtain  the  final  assertion 
false  or  the  final  goal  true.  In  deriving  a  program,  we  apply  deduction  rules  to 
an  extended  tableau.  In  addition  to  maintaining  the  validity  of  the  tableau,  the 
extended  rules  will  “maintain  the  satisfying  terms”  of  the  tableau.  In  other  words, 
a  closed  term  will  satisfy  the  new  tableau  if  and  only  if  it  satisfies  the  old  tableau. 
When  we  obtain  the  final  assertion  false  or  the  final  goal  true,  its  output  entries 
will  provide  the  final  program,  as  we  shall  see. 

The  tableaux  we  develop  all  have  a  property  expressed  as  follows. 


Proposition  (intermediate  tableau) 

In  a  theory,  at  each  stage  in  the  derivation  of  a  program  from  a  specifi¬ 
cation,  the  following  property  holds: 

if  the  closed  terms  <[a]  satisfy  the  tableau, 

then  the  program  f(x)  =  <[S]  satisfies  the  specification.  ^ 


Proof 

To  establish  that  the  desired  property  holds  at  each  stage  of  the  derivation, 
we  show  that 

(t)  the  property  holds  for  the  initial  tableau 
and 

(1)  if  the  property  holds  for  the  tableau  before  application  of  a 
deduction  rule,  it  also  holds  afterwards 

That  (f)  is  true  is  exactly  the  content  of  the  initial-tableau  proposition,  that 
if  the  closed  terms  7(a)  satisfy  the  initial  tableau  (in  the  theory),  then  the  program 
/(?)  =  t[x]  satisfies  the  specification. 

To  show  (J),  we  assume  that 

(*)  the  property  holds  for  the  tableau  T  before  application  of  a  deduction  rule, 

and  show  that  then  the  property  holds  for  the  tableau  T'  after  application  of  the 
rule.  For  this  purpose,  we  suppose  that 

(**)  the  closed  terms  7[S]  satisfy  the  tableau  T' 
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( 

t 

l 


i 

I 


and  show  that  then  the  program  /(x)  =  t[x]  satisfies  the  specification. 

Because  the  deduction  rules  maintain  satisfying  terms,  we  know,  by  our  sup¬ 
position  (**),  that  ?[3]  also  satisfy  the  tableau  T.  But  then,  by  our  assumption 
(*),  the  program  f(z)  —  ?{x]  satisfies  our  specification,  as  we  wanted  to  show. 


THE  FINAL  TABLEAU 

In  a  later  section,  we  shall  adapt  each  of  our  rules  to  apply  to  extended  tableaux, 
in  such  a  way  that  an  extended  justification  condition  will  hold.  The  rules  add 
new  rows  to  the  tableau,  but  the  set  of  satisfying  terms  is  the  same  at  each  stage. 
The  deductive  process  continues  until  we  obtain  the  final  assertion 


— - - 

false  | 

<>] 

the  final  goal 

_ 1 

Irtie 

r[a] 

where  we  require  that  the  terms  t [o]  be  primitive.  These  terms  are  not  necessarily 
dosed.  Let  t[o]  be  obtained  from  f[a]  by  replacing  all  the  variables  with  primitive 
constants,  it  does  not  matter  which.  At  this  point,  we  extract  the  final  program 

f(x)  =  i[xj. 


Remark 

If  the  terms  t [a]  are  not  primitive,  we  must  continue  the  derivation  until 
a  final  row  goal  true  assertion  false  with  primitive  output  entries  is  obtained 
In  fact,  even  if  the  <*[3]  are  primitive,  we  may  continue  the  derivation,  perhaps 
to  obtain  a  final  row  with  different  output  entries,  and  hence  a  different  final 
program. 

That  the  final  program  is  indeed  satisfactory  is  established  as  follows: 

\ 

Proposition  (final  tableau) 

The  final  program  /(x)  =  t[x]  satisfies  the  specification  C[x;  5]  in  the 
theory. 

i 
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Proof 

By  the  intermediate-tableau  proposition,  it  suffices  to  show  that  the  closed 
terms  t[a]  satisfy  the  tableau  in  the  theory.  Let  J  be  any  model  for  the  theory; 
it  suffices  to  show  that  t(5j  suit  the  tableau  under  I.  We  actually  show  that  t[a] 
suit  the  final  row. 

We  have  taken  t[a]  to  be  closed  instances  of  the  output  entries  ^[5]  of  the 
final  row.  That  is,  t[a]  are  (t  [a])  ■*  A,  for  some  substitution  A.  Let  us  take  our 
suiting  substitution  to  be  A.  To  show  the  truth  condition,  we  must  show  that 
the  sentence  false  •*  A,  that  is,  false,  is  closed  and  false  under  I  [or  the  sentence 
true  w  A',  that  is  true,  is  closed  and  true  under  J];  but  this  is  clearly  the  case. 

To  show  the  output  condition,  we  must  show  that  the  instances  (t'[a[)  -*A  are 
closed  and  have  the  same  values,  respectively,  as  t[a]  under  I;  but  in  fact  these 
terms  are  respectively  identical. 


Even  before  we  describe  the  extension  of  the  deduction  rules,  we  illustrate 
the  derivation  process  with  a  simple  example. 


Example  (sex) 

In  the  family  theory,  suppose  that  all  people  are  either  male  or  female,  that 
is, 

(V  person  u)[sez (u,  male)  or  sez  (u,  female)]  (sr z) 

Suppose  we  would  like  to  construct  a  program  s(x)  =  t[z]  to  find  the  sex  of  a 
given  person,  that  is,  to  meet  the  specification 

Q)x;  z]  :  sez  ( x ,  z), 

where  the  input  sort  is  person. 


Prom  the  specification,  we  form  the  initial  tableau 


- - - 

assertions 

goals 

s(a) 

. 

Gl.  if  person  (a) 
then  sez  (a,  z) 

z 

We  assume  that  the  constants  male  and  female  and  the  predicate  symbol  sez  are 
all  primitive.  We  include  the  sex  axiom  as  an  assertion: 
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if  person  (u) 

thensex  (u,  male)  or  sex  (u,  female ) 


By  the  initial-tableau  proposition,  we  know  that,  if  any  closed  term  i[a] 
satisfies  the  above  tableau  in  the  family  theory,  the  program  s(z)  =  t[x]  must 
meet  the  specification. 

By  applying  some  extended  deduction  rules,  we  shall  be  able  to  obtain  the 
goal  row 

|  G1.  not  sex  (a,  female)  |  male 

By  the  intermediate-tableau  proposition,  we  know  that  if  any  closed  term  t[a] 
satisfies  the  new  tableau  in  the  family  theory,  the  program  s(z)  =  t(z]  again  must 
meet  the  specification. 


By  applying  another  extended  deduction  rule,  we  shall  be  able  to  obtain  the 
final  goal  row 


if  sex  (a,  female) 

G 3.  true 

then  female 
else  male 

The  conditional  term  (if  sex  (a,  female)  then  female  else  male)  is  primitive 
and  contains  no  variables.  Therefore,  we  may  stop  the  derivation  process  and 
derive  the  program 

{if  sez  (z,  female) 
then  female 
else  mole 

By  the  final-tableau  proposition,  we  know  that  this  program  must  meet  the  spec¬ 
ification. 


'  14.5  RECURSIVE  PROGRAMS 

Some  special  treatment  is  necessary  to  derive  recursive  programs  / (z)  =  t[xj,  in 
which  the  function  symbols  7  may  occur  in  the  terms  t[z].  Such  programs  are 
obtained  by  using  the  well-founded  induction  principle  in  the  derivation. 
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We  derive  a  program  to  satisfy  the  specification  fi[x;  z]  by  proving  a  theorem 
(V  obj  i)(3  z)fi[x;  z].  If  we  remove  the  outer  quantifiers  of  this  theorem  in 
forming  the  initial  tableau,  we  cannot  complete  the  proof  by  induction  on  any 
of  the  variables  x.  If  instead  we  leave  the  quantifiers  in  place  and  invoke  the 
induction  principle  before  forming  the  initial  tableau,  we  shall  be  able  to  obtain 
a  recursive  program. 

The  induction  will  be  with  respect  to  a  well-founded  relation  over  m-tuples 
of  sort  obj.  (See  Section  ??). 


Definition  (initisd  tableau,  recursive) 

In  any  theory,  for  a  given  specification  Q[x;  z]  with  input  sorts  obj  and 
for  a  given  relation  -<  well-founded  over  m-tuples  of  sort  obj ,  an  initial 
tableau  for  deriving  a  recursive  program  is  as  follows: 


goals 

/(S) 

if  o4j(a) 

Men  if 

Men  Q[a;  z] 

Z 

Here  a  =  ai,  ...  ,Om  are  new  constants.  The  function  symbols  /  are 
included  in  the  primitive  list.  Any  valid  sentences  of  the  theory  may  be 
included  in  the  tableau  as  assertions,  without  output  entries. 


Example  (flattree2) 

In  a  combined  theory  of  trees  and  strings,  the  specification  for  the  program 
flattrec2,  which  flattens  a  tree  and  concatenates  it  with  a  list,  is 

Q3[xi,  xj\  z]  :  z  =  flattree  (it)  •  rj, 

with'  input  sorts  tree  and  string.  To  construct  a  recursive  program  from  this 
specification,  with  a  well-founded  relation  ■<  over  2-tuples  of  trees  and  strings,  we 
form  the  initial  tableau 
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goals 

if  tree(ai)  and  striny(aj) 

(Vtrteu,)\if  (“l.  “») -<  (“i,  a,) 

M'n  if  (V  siring  Uj)  ^ 

'  1  —  fiattrte  (ui)  •  u2J 

then  z  =  fiaitree  (a\)  e  ai 

2 

Properties  of  the  combined  theory  of  trees  and  strings,  may  be  included  in 
the  initial  tableau  as  additional  assertions. 


The  initial  tableau  for  recursive  programs  may  be  shown  to  have  the  desired 
property. 


Proposition  (initial  tableau  for  recursive  programs) 

In  any  theory, 

if  the  closed  terms  t[a]  satisfy  the  (recursive)  initial  tableau 
for  a  specification  fi[x;  z]  with  input  sorts  otj, 
and  if  -<  is  well-founded  over  m-tuples  of  sort  obj, 
then  the  program  /(x)  =  f[x]  satisfies  the  specification.  ^ 


Proof 

To  show  that  the  program  f(z)  =  t[x]  satisfies  the  specification,  we  establish 
the  validity  of  the  correctness  condition 

if  (V  o6j  x)  [7(x)  =  i[x]] 
then  (V  obj  z)Q[z,  f(z)\ 

in  the  theory. 

Under  a  given  model  for  the  theory,  we  assume  that 
(*)  (y  'obj  z)[f(z)  =  t[x]]. 

is  true  and  show  that  then 

(V  obj  x)fi[x;7(x)] 


is  also  true. 
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By  the  well-founded  induction  principle  over  m-tuples  of  sort  obj,  it  is  enough 
to  show  the  inductive  step 


_ r »/  (u)  -<  (x) 

(V  Tbj  x)  if  (V  0  *  b)  then  Q  [«;/(«)] 
then  G  [*;/(*)] 

It  suffices,  by  our  assumption  (•),  to  show  that 


(V  obj  x) 


if  (V  obj  u) 


if  (u)  -<  (5) 
then  £[«;/(«)] 
then  Q  [x;  t[x]| 


or,  expanding  the  outermost  relativized  quantifier, 
if  oij(x) 

(V  x)  then  if  (V  obj  ti) 


if  <u)  -<  (x) 
then  Q  [«;/(«)] 
then  Q  [x;  t[t]] 


is  true. 


By  the  output  entry  property,  to  show  that  the  above  sentence  is  actually 
valid,  it  suffices  to  find  closed  terms  t[o]  that  satisfy  the  tableau 


goals 

m 

if  obj(a) 

_  if  (u)  <  (5) 

then  if  (V  obj  u)  _ 

'[then  2[u;/(u)]J 

then  fl[a;s] 

J 

The  valid-assertion  property  allows  us  to  add  as  assertions  to  this  tableau  any 
valid  sentences  of  the  theory,  without  changing  the  satisfying  terms.  Thus,  it 
suffices  that  the  closed  terms  t[3]  satisfy  the  (recursive)  initial  tableau,  as  we 
have  assumed. 


Remark  (one  input  case) 


((  MB:  too  trivial  to  be  mentioned;  OUT  )) 
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In  the  special  case  in  which  there  is  only  one  input  object  (i.e.,  m  =  1), 
we  have  no  need  to  use  well-founded  induction  over  tuples  of  sort  obj  \  we  may 
use  well-founded  induction  over  individuals  of  sort  obj1 ,  that  is,  obj ,  instead . 
(Recall  that  in  this  case  we  drop  the  subscripts  from  the  input  symbols.)  For  the 
specification  £[x;  z],  we  take  our  (recursive)  initial  tableau  to  be 


goals 

/(a) 

if  obj(a) 

then  if  (V  obj  u)  [fj  g“u.7(t()]] 
then  fi[a;z] 

z 

where  -<  is  well-founded  over  obj. 


By  the  same  argument  as  for  the  general  case,  we  may  show  that  if  the  closed 
terms  t[a]  satisfy  this  tableau  (with  optional  valid  sentences  of  the  theory  added 
assertions),  then  the  program  f(x)  —  t[x]  satisfies  the  specification.  ^ 
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We  are  now  ready  to  adapt  the  deduction  rules  of  our  system  to  apply  to  extended 
tableaux.  Each  rule  will  introduce  new  output  entries  as  well  as  assertions  or  goals 
and  will  maintain  satisfying  terms  as  well  as  validity. 


JUSTIFICATION  PROPOSITION 

Each  deduction  rule  requires  that  certain  rows  (the  “required  rows”)  already  be 
present  in  the  tableau  and  generates  certain  new  rows  (the  “generated  rows”)  to 
be  introduced  into  the  tableau.  For  each  deduction  rule  we  require  an  extended 
justification  condition  which  consists  of  the  original  justification  condition,  which 
guarantees  that  the  rule  maintains  validity,  plus  a  new  condition,  which  guaran¬ 
tees  that  the  rule  maintains  satisfying  terms. 

Proposition  (justification) 

A  deduction  rule  maintains  the  terms  satisfying  a  tableau  to  which  it  is 
applied  if  the  following  justification  condition  for  satisfying  terms  holds: 
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For  any  model  I  for  the  theory  and  for  any  closed  terms  t, 

if  t  suit  any  of  the  generated  rows  under  1 

then  t  suit  at  least  one  of  the  required  rows  under  J . 


Proof 

Assume  that  the  justification  condition  for  satisfying  terms  holds;  we  would 
like  to  show  that  the  deduction  rule  maintains  satisfying  terms. 

Consider  arbitrary  closed  terms  t.  We  show  that,  in  the  theory,  the  terms  t 
satisfy  the  given  tableau  T  if  and  only  if  they  satisfy  the  new  tableau  T'. 

In  one  direction,  the  proof  does  not  require  the  justification  condition  at  all. 
Suppose  that  the  terms  t  satisfy  the  original  tableau  T  in  the  theory.  Let  I 
be  any  model  for  the  theory,  then  1  suit  some  row  of  T  under  I.  But  because 
deduction  rules  do  not  delete  rows,  every  row  of  T  is  also  a  row  of  T' .  Sot  suit 
some  row  of  T',  that  is,  t  suit  T'  under  I.  Hence  f  satisfy  the  new  tableau  T\ 
as  we  wanted  to  show. 

For  the  other  direction,  suppose  that  the  terms  t  satisfy  the  new  tableau  T . 
We  would  like  to  show  that  then  t  satisfy  the  original  tableau  T .  Let  I  be  any 
model  for  the  theory;  then  it  suffices  to  show  that  f  suit  T  under  J . 

Because  the  terms  t  satisfy  T'  in  the  theory,  <  suit  some  row  of  T'  under  J. 
If  this  row  was  already  a  row  of  T,  then  t  suit  T  under  J,  as  we  wanted  to  show. 
Otherwise,  the  row  must  have  been  generated  by  the  deduction  rule.  In  this  case 
(by  the  justification  condition  for  satisfying  terms),  t  must  suit  at  least  one  of  the 
required  rows,  which  must  appear  in  T.  Hence  f  suit  T  under  J,  as  we  wanted 
to  show. 


SIMPLIFICATION 


Any  sentence  or  term  introduced  into  a  tableau  is  automatically  subjected  to  a 
simplification  process,  in  which  certain  subsentences  are  replaced  by  equivalent 
but  simpler  sentences,  and  certain  subterms  are  replaced  by  equal  but  simpler 
terms.  For  extended  tableaux,  simplification  is  applied  to  the  output  entries  as 
well  as  the  assertions  and  goals.  Simplification  is  not  regarded  as  a  separate  rule; 
we  apply  it  automatically  whenever  we  add  a  new  row  to  a  tableau. 
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Example 


Suppose  that  the  following  row  is  to  be  added  to  a  tableau. 


1  1 

assertions 

goals 

/(<•) 

«/  p(*) 

p(z)  and  p(x) 

then  a 

else  a 

The  goal  of  this  row  would  automatically  be  simplified  to  p(x),  by  application  of 
the  simplification 


(/  and  /)=>/. 

Also,  the  output  entry  would  be  simplified  to  a,  by  application  of  the  simplification 
((  do  we  simplify  terms  )) 

(if  7  then  s  else  s)  =$  s. 

The  entire  row  would  thus  be  simplified  to 

p(x)  a 

J 


Simplification  is  easily  justified  because  we  always  replace  a  subsentence  by 
an  equivalent  sentence  or  a  subterm  by  an  equal  term.  In  particular,  the  satisfying 
terms  are  maintained. 


SPLITTING  RULES 


The  splitting  rules  break  rows  down  into  their  logical  components.  The  extended 
rules  are  ver)  similar  to  the  basic  splitting  rules.  The  output  entries  of  the 
generated  rows  are  the  same  as  those  of  the  required  rows.  We  present  all  three 
splitting  rules  in  tableau  notation. 


•  And-splH  rule 


f 


l 


•  If- split  rule 


Iq  each  rule,  there  are  n  output  columns,  containing  the  output  entries  s  - 
Sl.Sj,  ...  ,*n- 

Remark 

In  deriving  a  nonrecursive  program  from  a  specification  Q\z,  ?],  we  formed 


the  initial  tableau 


assertions 

goals  |  /(°) 

if  ~obj{ 5)  1  J 

then  2[a;  r]  | 

By  application  of  the  tf-splti  rule,  we  may  decompose  this  row  into  an  assertion 
and  a  goal 
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obj(a) 

z 

fi[a;  *1 

2 

Because  the  output  entries  z  do  not  occur  free  in  the  assertion,  they  may  be 
dropped;  of  course,  the  output  entries  for  the  goal  must  remain. 


We  shail  automatically  apply  the  if-spht  rule  to  the  initial  tableau.  In  fact, 
we  shall  henceforth  regard  the  initial  tableau  to  be  the  resulting  assertion  and 
goal,  that  is, 


assertions 

goals 

7(o) 

0*7(0) 

C[a;  ?] 

Z 

Similarly,  in  deriving  a  recursive  program  from  a  specification  fi[x;  z],  we 
took  the  initial  tableau  to  be 


goals 

m 

ij  obj(a ) 

_  ft/  (u)  -<  (5) 

then  if  (V  obj  ti)  .  -  , 

'  [Men  2[u;  /(«)] 

then  Q[a\  z] 

z 

By  application  of  the  i f-split  rule,  we  may  decompose  this  row  to  obtain  an 
assertion  and  a  goal 


assertions 

goals 

m 

o*7  (d) 

z 

\ 

,/(V°6jU)[Me n  Q  [ti;  7(u)]  j 
then  2 (a;  ?] 

z 

By  a  second  application  of  the  if-aplti  rule,  we  may  decompose  the  goal  further, 
to  obtain 
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(V  obj  u) 

if  (u)  -<  (5) 
then  fi[u;  /(u)] 

~z 

fi[5;  5] 

z 

The  new  assertion  corresponds  to  the  induction  hypothesis,  and  the  new  goal 
to  the  derived  conclusion,  for  the  inductive  step  of  a  proof.  Again,  because  the 
output  entries  z  do  not  occur  free  in  the  assertions,  the  output  entries  for  these 
rows  may  be  dropped. 

We  shall  automatically  apply  the  if-split  rule  to  the  initial  tableau  for  a 
recursive  program;  in  fact,  we  shall  henceforth  regard  the  following  three  rows  as 
the  initial  tableau: 


assertions 

goals 

m 

obj(a) 

MAHzigiEan 

■  uu 

2(3;  ?] 

i  * 

Jl 


Example  (initial  tableaux  after  splitting)  ((  necessary?  MB  )) 

For  the  flattreel  program,  which  flattens  a  tree,  the  specification  is 
Q{x;  r]  :  z  =  flatiree  (x), 

with  input  sort  tree.  To  construct  a  (nonrecursive)  program  to  meet  this  specifi¬ 
cation,  we  form  the  initial  tableau 


assertions 

goals  ]  flattree\{a) 

tree  (a) 

z  =  flatiree  (x) 

2 

As  usual,  valid  sentences  of  the  theory  may  be  included  as  additional  assertions. 
((  out??  MB  )) 
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For  the  flattree 2  program,  which  flattens  a  tree  and  concatenates  the  result 
with  another  string,  the  specification  is 


J2[*i,  x2\  z]  :  z  =  flattree  (xx)  *  x2, 

with  input  sorts  tree  and  string.  ■  To  construct  a  recursive  program  to  meet  this 
specification,  we  form  the  initial  tableau 


assertions 

goats 

flattree1(ai^a2) 

Iree(ai)  and  string(aj) 

(V  tree  «i) 
(V  string  ui) 

•f  (ui,u2) -<  (aua2) 
then  flattrec2(ui,u2) 

=  flattree  (ui)  *  u2 

z  =  flattree  (aj)  *  a2 

z 

Again,  valid  sentences  of  the  theory  may  be  included  as  additional  assertions.  (( 
out??  MB  ))  j 


We  shall  justify  only  the  ifisplit  rule. 


Justification  (if-split  rule) 

We  would  like  to  establish  that  the  justification  conditions  hold  for  the  if-spht 
rule.  The  justification  condition  for  validity  was  established  when  we  introduced 
the  rule  for  basic  tableaux.  We  need  only  show  the  justification  condition  for 
satisfying  terms. 

Let  I  be  a  model  for  the  theory  in  question  and  let  t  be  closed  terms  that 
suit  one  of  the  generated  rows  under  I.  We  would  like  to  show  that  t  suit  the 
required  goal  (if  A  then  §)  under  I. 

If  the  terms  t  suit  the  generated  assertion  A  under  1 ,  then  for  some  suiting 
substitution  A,  we  have  the  truth  condition, 

A-*  A  is  closed  and  false  under  I, 

and  the  output  condition,  _ 

s-»A  are  closed  and  have  the  same  values,  respectively,  as  t  under  I . 

Suppose  «i,  . .  . ,  u*  are  the  free  variables  of  j7*A  and  let  A  =  {ui  <— o,  .  . . ,  u*«— a), 
where  a  is  any  constant.  We  claim  that,  as  we  wanted  to  show,  the  terms  t  suit 
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the  goal  (if  A  ike n  $),  with  suiting  substitution  A  □  X.  The  truth  condition 
holds,  that  is, 

(if  A  then  $)*( AoA)  =  if  (A«\)  +  \  then  ($  +  A)«A 

=  if  A< A  lAen  ($•* A)-sA 
(because  A  ■*  A  is  closed) 

is  closed  and  true  under  1  (since  A  sA  is  false  under  I), 
and  the  output  condition  holds,  that  is, 

s-*(AoA)  =  (5<A)-»A 
=  ?■«  A 

(because  5  -  A  are  closed) 

are  closed  and  have  the  same  values,  respectively,  as  7  under  J. 

Similarly,  if  the  terms  7  suit  the  generatedjgoal  Q  under  I,  with  suiting 
substitution  A,  we  can  construct  a  substitution  A_such  that  7  suit  the  required 
goal  (if  A  then  §),  with  suiting  substitution  Ac  A. 


THE  RESOLUTION  RULE 

The  resolution  rule  allows  us  to  perform  a  case  analysis  on  the  truth  of  a  sub- 
sentence.  In  extending  the  rule,  the  output  entries  for  the  generated  row  are,  in 
general,  conditional  terms. 

Let  us  write  the  rule  in  tableau  notation. 


Rule  (AA-resolution) 
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{{  informal  notation?  }) 

The  notation  and  requirements  for  the  rule  and  the  new  assertion  introduced  are 
the  same  as  for  the  rule  without  output  entries. 

The  new  output  entries  are  conditional  terms,  each  of  whose  if  -clauses  is  the 
unified  subsentence  P  - 6 ,  and  whose  then-  and  else-clauses  are  the  corresponding 
instances  t-6  and  s-6,  respectively,  of  the  output  entries  t  and  s  for  the  required 
rows.  In  other  words, 

if  P  -6  then  t-6  else  J-6 

is  an  abbreviation  for  the  n  terms 

if  P-6  if  P-6  if  P-6 

then  ti-6  then  tj-6  ■■■  then  t„-6 

else  si -6  else  sj-6  else  s„-6. 

As  usual,  by  duality,  the  rule  can  be  applied  to  two  goals  or  to  an  assertion  and 
a  goal;  the  output  entries  are  the  same  as  for  the  AA  version  of  the  rule.  The 
polarity  strategy  is  as  before.  In  the  case  in  which  one  (or  both)  of  the  two 
required  rows  has  no  output  entries,  the  row  is  treated  as  if  it  has  output  entries 
u  =  ui,«2,  . . .  ,un,  where  none  of  the  variables  tq  occur  free  in  the  row. 

We  first  look  at  an  example  that  does  not  require  unification. 


Example  (no  unification) 

Suppose  we  have  the  two  rows 


assertions 

goals 

rfc(ni,  o2) 

nr A(ai,  02) 

<*1 

02 

02 

<*3 

The  boxed  subsentences  of  the  two  goals  are  identical,  and  hence  unifiable  with 
most-general  unifier  {  } .  Therefore  we  may  apply  the  resolution  rule  to  obtain 


- T - 

not  false 

if  retfaa) 

if  rerf(aj) 

and 

then  a] 

then  as 

true 

else  a) 

else  aj 

which  is  automatically  simplified  to 
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if  red  (02) 

if  red  (02) 

true 

then 

o2 

then  03 

else 

Ol 

else  aj 

The  output  entries  are  conditional  terms  each  of  whose  i/clause  is  the  unified 
subsentence  red  (02).  The  (Aen- terms  and  else- terms  are  the  output  entries  of  the 
given  rows  (in  reverse  order). 


Now  let  us  see  an  example  in  which  a  unifier  is  necessary  to  create  common 
subsentences  in  the  goals. 


Example  (with  unification) 

((  ms.  unclear  here  -  eed???  ))  In  a  derivation  for  the  sex  program  s(x),  we 
obtain  the  two  rows 


assertions 

goals 

s(o) 

not  sex  (a,  female) 

male 

I  sez(a,z)  |* 

z 

The  boxed  subsentences  of  the  two  goals  are  unifiable,  with  most-general  unifier 
{z  <—  female).  Therefore,  we  may  apply  the  resolution  rule  to  obtain 


not  false 

if  sex  (a,  female) 

and 

then  female 

true 

else  male 

which  is  automatically  simplified  to 


if  sex  (a,  female) 

true 

then  female 
else  male 
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Example  (one  output  entry) 
Suppose  we  have  the  rows 


assertions 

goals 

s(a) 

sex  (a,z) 

z 

sex  (u,  male)  or  sex  (u,  female) 

Note  that  the  second  initial  assertion  has  no  output  entry.  We  may  therefore 
treat  it  as  if  it  had  the  new  variable  tij  as  its  output  entry. 


|  sex  (u,  male)  or  sex  (u,  female) 

Ul 

The  boxed  subsentence  of  this  assertion  is  unifiable  with  the  goal 


sex  (a,  z) 


z 


A  most-general  unifier  is  {u  <—  o,  z  <—  male}.  Therefore,  we  may  apply  the 
resolution  rule  to  obtain 


not  ( false  or  sex  (o ,  female)) 

if  sex  (a,  male) 

and 

then  male 

true 

else  uj 

which  is  automatically  simplified  to 


not  sex  (a  .female) 

if  sex  {a,  male) 
then  male 

else  U\ 

Remark  \ 

Suppose  we  apply  the  resolution  rule  to  two  rows  whose  ith  output  entries 
Si  and  (,  become  identical  after  the  unifying  substitution  6  is  applied,  that  is,  the 
terms  Sj  and  I,  -  0  are  identical.  Then  the  itb  output  entry  of  the  generated 
row,  (i f  P  <9  then  t,  6  else  Si  ■*  9),  is  automatically  simplified  to  s,  -«  0,  by 
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application  of  the  simplification 

(if  1  then  s  else  s)  =>  s. 

Suppose  in  applying  the  resolution  rule  we  generate  output  entries  of  form 

(if  7  then  it  else  a)  or  (if  7  then  s  else  u), 

where  u  is  a  variable  that  does  not  occur  free  elsewhere  in  the  row.  This  oc¬ 
curs  when  we  apply  the  rule  to  a  row  without  output  entries.  Then  we  shall 
automatically  replace  those  output  entries  with  a. 

To  justify  this,  observe  that,  by  the  instantiation  property,  we  may  apply  the 
substitution  A:  {u  <—  a)  to  the  generated  row.  This  transforms  the  output  entries 
into  (if  7  then  s  else  s)  and  has  no  effect  on  the  remainder  of  the  row.  We  may 
then  simplify  the  output  entries,  obtaining  s. 

In  particular,  in  applying  the  resolution  rule  to  rows  that  do  not  both  have 
output  entries,  we  do  not  actually  introduce  conditional  terms  into  the  output 
columns.  If  only  one  of  the  rows  has  output  entries  t,  the  generated  row  has 
output  entries  t  *8,  where  8  is  the  unifying  substitution. 


Example 

In  the  previous  example,  we  have  obtained  the  row 


assertions 

goals 

s(a) 

not  sex  (a,  female) 

if  sex  (a,  male) 
then  male 
else  tii 

Note  that  the  variable  Ui  in  the  output  entry  does  not  occur  elsewhere  in  the  row. 
In  accordance  with  the  preceding  remark,  we  can  replace  the  output  entry  of  this 
row  with  male,  to  obtain 


3.  not  sex  (a,  female) 


male 


J 


Remark  (no  output  case) 

Suppose  we  are  applying  the  resolution  rule  to  two  rows,  both  of  which  have 
no  output  entries.  We  treat  each  row  as  if  it  had  as  its  output  entries  the  new 
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variables  u  and  v.  The  rule  will  then  produce  a  row  whose  output  entries  are  of 
form  (1/  P  -«0  then  V  else  u).  These  output  entries  are  automatically  replaced 
by  the  output  entries  u,  in  accordance  with  our  previous  remark.  The  variables 
u,  being  new,  do  not  occur  in  the  newly  generated  row.  For  this  reason,  the  new 
row  will  be  treated  as  if  it  had  no  output  entries. 

In  short,  if  the  resolution  rule  is  applied  to  two  rows  without  output  entries, 
the  resulting  row  has  no  output  entries  either. 

Let  us  now  justify  our  adaptation  of  the  resolution  rule  to  extended  tableaux. 


Justification  (extended  resolution  rule) 

We  consider  only  the  AA-lorm  of  the  rule  and  show  that  the  justification 
conditions  hold.  The  justification  condition  for  validity  was  established  when  we 
introduced  the  basic  resolution  rule. 

To  show  the  justification  condition  for  satisfying  terms,  let  7  be  a  model  for 
the  theory  and  let  r  be  closed  terms  that  suit  the  generated  assertion  under  7. 
We  would  like  to  show  that  then  r  suit  one  of  the  required  assertions  under  I. 

Because  the  terms  r  suit  the  generated  assertion  under  7,  we  have,  for  some 
suiting  substitution  A,  the  truth  condition, 

[(^i  *0)  *{P*0  *—  false]  or  (A-2+9)  +  {P  <6  «—  (rue)j  -*A 
is  closed  and  false  under  7, 

and  the  output  condition, 

the  terms  (if  P  <6  then  ( •»  0  else  s  ■* 0)  ■*  A  are  closed  and  have  the 
same  values,  respectively,  as  r  under  7 

Consequently  (by  properties  of  substitutions),  we  have 

(t)  [Ai*(0oA)]  «{/>«(0dA)  ~  false) 

is  closed  and  false  under  7, 

[A?  ■«  (0  O  A)]  -a  [P  •*  (0  O  A)  <—  (rue) 
is  closed  and  false  under  7 , 

((  clarify  these  last  two  steps  earlier  ))  _ 

and 

(t)  the  terms  if  P  ■*{9  oA)  then  (-*(0dA)  else  s-«(0nA) 

are  closed  and  have  the  same  values,  respectively,  as  r  under  7. 
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We  distinguish  between  two  cases. 

Coat:  P  -*(0oA)  is  false  under  I. 

We  claim  that  then  the  terms  r  suit  the  required  assertion  with  suiting 
substitution  da  A.  To  show  this,  we  must  show  the  appropriate  truth  and  output 
conditions. 

In  this  case,  P  ■*(6a\)  and  false  have  the  same  truth-value  under  1 .  Because 
\Ai  -«(0oA)|  ■•{P  •s(floA)  <—  false}  is  false  under  I  (by  (t)),  it  follows  (by  the 
value  property)  that  the  closed  ((  why?  ))  sentence  Ai  <(0  0  A)  is  false  under  1 , 
that  is,  the  truth  condition  holds. 

((  use  value  property  in  previous  proofs  )) 

Also,  because  in  this  case  P  ■*($  OA)  is  false  under  I,  it  follows  (from  ({)) 
that  the  closed  terms  s  w  (0  □  A)  have  the  same  values,  respectively,  as  r  under  I , 
that  is,  the  output  condition  also  holds. 

Case:  P  ■*  (0  a  A)  is  true  under  I . 

This  case  is  symmetric  to  the  previous  case.  We  show  that  the  terms  r  suit 
the  required  assertion  Ai  with  suiting  substitution  0a  A. 


THE  EQUIVALENCE  RULE 

The  equivalence  rule  allows  us  to  replace  a  subsentence  of  the  tableau  with  an 
equivalent  sentence.  For  extended  tableaux,  we  may  replace  subsentences  of  the 
output  entries  as  well  as  the  assertions  and  goals.  The  output  entries  for  the 
generated  row  are,  in  general,  conditional  terms.  Let  us  write  the  rule  in  tableau 
form. 


Rule  ( A A-equi valence ,  left  to  right) 


assertions 

- 

m 

A\ 

8 

^3 

II 

t 

AA1+0)«{(P  =  Q)«e~  false] 

■1 

III 

K> 

A 

<3a 

or 

then  (i+0)<(P+0  —  fiw 

1 

else  s-»9 
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J 

{(  ■*  and  <not  as  in  Vol.  ltp.  43  )) 

Note  that  the  substitution  S  may  unify  occurrences  of  subsentences  in  the 
output  entries  t  as  well  as  in  the  assertion  Aj  and  these  occurrences  may  be  unified 
by  the  rule.  (An  output  entry  may  have  subsentences  if  it  contains  a  conditional 
term.)  A  right-to-left  version  of  the  rule  allows  us  to  replace  occurrences  of  Q-0 
with  P  +0. 

We  have  presented  the  rule  as  it  applies  to  two  assertions.  As  usual,  by 
duality,  we  may  also  apply  the  rule  to  an  assertion  and  a  goal,  or  to  two  goals,  and 
obtain  conditional  output  entries  in  each  case.  As  was  the  case  for  the  resolution 
rule,  if  one  of  the  two  given  rows  has  no  output  entries,  the  conditional  is  not 
introduced  into  the  output  entries  for  the  generated  row.  If  both  given  rows  have 
no  output  entries,  the  generated  rows  have  no  output  entries  either.  The  polarity 
strategy  applies  as  usual. 

Example  (equivalence  rule) 


Suppose  our  tableau  contains  the  two  rows 


assertions 

goals 

m 

|  p(*.  <»)  |  S  ?(*)] 

9(x) 

>f  |  pU.  y)  | 

I  p(6,  y) 

then  z 
else  y 

The  boxed  subsentences  of  the  two  rows  are  unifiable,  with  a  most-general  unifier 


{*  ~b,  y  —  a,  z  —/>}. 


We  may  apply  the  A  A- equivalence  rule  to  obtain 


\ 

if  p(k,  a)  =  q(b) 

false 

then  if  q(b) 

or 

then  b 

«(») 

else  a 

else  g(b) 
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or,  after  true-false  simplification, 


q(b) 

if  p(b,  a)  =  q(b) 
then  if  q(b) 
then  b 

else  a 
else  q(b) 

Here  we  have  replaced  an  occurrence  of  p(b,  a)  with  q(b)  in  the  output  entry  as  well 
as  in  the  assertion.  It  would  also  have  been  legal  for  us  to  make  a  replacement 
in  the  assertion  but  not  the  output  entry,  or  in  the  output  entry  but  not  the 
assertion.  The  unifiers  would  have  been  different  in  each  case.  . 


The  justification  for  the  extended  equivalence  rule  is  analogous  to  that  for 
the  extended  resolution  rule.  {(  exercise!  )) 


Justification  (extended  equivalence  rule) 

We  consider  only  the  AA,  left-to-right  version  of  the  rule  and  show  that  the 
justification  conditions  hold.  The  justification  condition  for  validity  was  estab¬ 
lished  when  we  introduced  the  basic  equivalence  rule. 


To  show  the  justification  condition  for  satisfying  terms,  let  I  be  a  model  for 
the  theory  and  r  be  cloaed  terms  that  suit  the  generated  assertion  under  I.  We 
would  like  to  show  that  then  r  suit  one  of  the  required  assertions  under  J . 

Because  the  terms  r  suit  the  generated  assertion  under  I,  we  know  that,  for 
some  suiting  substitution  A,  we  have  the  truth  condition, 


'(*1 -«)•<{(>’  s  Q)+9  *-false}' 
or 


is  cloaed  and  false  under  I, 


and  the  output  condition 


the  terms 


if  (P=Q)«e 

then  <0 

else  s+6 


2-0) 


are  closed  and  have  the  same  values,  respectively,  as  r  under  /. 


14.6  The  Deduction  Rules 


55 


Con*  quently  (by  properties  of  substitutions  ((  ??  ))),  we  have  (( small  box?  check 
subst.  chapter  )} 

(«)  [*!•»  (0  □  A)]  ■«{(/>••  (0  □  A)  =  2*(0dA))  -/atae) 

is  closed  and  false  under  I, 

(t)  [^w(0oA)}4{.P<.(0oA)r-fM0DA)} 

is  closed  and  false  under  1 , 

and 

the  terms 

if  P  «(0OA)  =  Q+{9o\) 

(t)  then  [t<*(0nA)]«{/>-«(0QA)  —  fi-«(0aA)} 

else  s-«(0oA) 

are  closed  and  have  the  same  values,  respectively,  as  r  under  I  - 
We  distinguish  between  two  cases 

Case:  (P  -{Oa  A)  =  Q  -(OaX))  is  false  under  J. 

We  claim  that  then  the  terms  7  suit  the  required  assertion  Ai  with  suiting 
substitution  00  A.  To  show  this,  we  establish  the  appropriate  truth  and  output 
conditions. 

In  this  case,  (P  -(OaX)  =  Q  —  (8  a  A))  and  false  have  the  same  truth-value 
under/.  Because  [Ai  -s(0aA)]  -{{P  -«(0aA)  s  C-*(0aA))  <—  false}  is  false  under 
I  (by  (*)),  it  follows  (by  the  value  property)  that  the  closed  ((  why?  ))  sentence 
At  s(SdA)  is  false  under  I ,  that  is,  the  truth  condition  holds. 

Also,  because  in  this  case  (P -(OaX)  =  Q  •*(flaA))  is  false  under  I ,  it  follows 
(from  ()))  that  the  closed  terms  s -«(0  □  A)  have  the  same  values,  respectively,  as 
r  under  I ,  that  is,  the  output  condition  also  holds. 

Case.  (P  •»(0o  A)  =  Q -(OaX))  is  true  under  1. 

We  claim  that  the  terms  r  suit  the  required  assertion  yt2  with  suiting  substi¬ 
tution  0a  A.  To  show  this,  we  again  establish  the  appropriate  truth  and  output 
conditions. 

In  this  case,  P  -(OaX)  and  Q  -{8 oA)  have  the  same  truth-value  under  I . 
Because  _ 

[At  «(0oA)]  <{P-(0 oA)  -  Q -(OaX)) 

is  false  under  I  (by  (t )),  it  follows  (by  the  value  property)  that  the  closed  ((  why? 
))  sentence  At  -  {OaX)  is  false  under  J,  that  is,  the  truth  condition  holds. 
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Also,  because  in  this  case  (P  ■*($  dA)  =  Q  ■*($  □  A))  is  true  under  I,  it 
follows  (from  (J))  that  the  closed  terms 

[? -w (0 o A)]  <{P  <(0aA)  -  £-<(0aA)} 

have  the  same  values,  respectively,  as  f  under  1 .  Because  in  this  case  P  -*(9  a  \) 
and  Q  <(0  oA)  have  the  same  truth-value  under  I,  it  follows  that  the  closed  (( 
why?  ))  terms  t  -»(0oA)  have  the  same  values,  respectively,  as  r  under  I ,  that  is, 
the  output  condition  also  holds. 


THE  EQUALITY  RULE 


The  equality  rule  is  analogous  to  the  equivalence  rule:  it  allows  us  to  replace  a 
subterm  of  the  tableau  with  an  equal  term.  For  tableaux  with  output  columns, 
we  may  replace  subterms  of  the  output  entries  as  well  as  the  assertions  and  goals. 
The  output  entries  for  the  generated  row  are,  in  general,  conditional  terms. 

The  rule  allows  us  to  omit  the  transitivity  and  symmetry  axioms  for  equality 
from  our  list  of  assertions;  the  reft exivily  axiom  u  =  u  is  retained. 

Let  us  write  the  rule  in  tableau  form. 


Rule  (AA-equality,  left  to  right) 


assertions 

m 

A\ 

s 

A2 

t 

(Ai  -«0)-*{(p  =  q)-9  —  false) 

*/  (p  =  ?)-*0 

or 

then  (i  «6)<{p*9  —  q-9} 

(A 2  -«0)<i{p-«#  —  q+0) 

else  s-*0 

((  Here  the  symbols  p  and  q  stand  for  terms.  ))  A  right-to-left  version  of  the  rule 
allows  us  to  replace  occurrences  of  q  +9  with  p-9 

We  have  presented  the  rule  as  it  applies  to  two  assertions  but,  by  duality,  it 
may  be  applied  as  well  to  two  goals  or  to  an  assertion  and  a  goal.  As  usual,  if 
only  one  of  the  rows  has  an  output  entry,  the  conditional  is  not  introduced  into 
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the  generated  output  entry;  if  neither  row  has  output  entries,  the  generated  row 
also  has  no  output  entry.  The  polarity  strategy  applies  as  before. 

We  omit  the  justification  for  the  equality  rule,  since  it  is  closely  analogous 
to  that  for  the  equivalence  rule. 


Example  (equality  rule) 


Suppose  our  tableau  contains  the  two  rows 


assertions 

goals 

m 

[|°  +  xj=x] 

z  +  a  =6 

z 

The  boxed  subsentences  of  the  two  rows  are  unifiable,  with  a  most-general 
unifier 


(x  . —  u,  z  < —  0}. 

We  may  apply  the  \G-equality  rule  to  obtain 


not  false 
and 

0 

a  —  b 

which  simplifies  to 


a  =  b  |  0 

Note  that  because  the  assertion  had  no  output  entry,  we  did  not  introduce  a 
conditional  into  the  generated  row. 


THE  SKOL'EMIZATION  RULES 


The  universal  and  existential  quantifier- elimination  propositions  are  invoked  in 
forming  the  initial  tableau,  because  we  remove  the  quantifiers  for  the  input  and 
output  variables  before  the  tableau  is  formed.  Nevertheless,  there  may  be  other 
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quantifiers  in  the  specification  that  must  be  removed  once  the  derivation  is  un¬ 
derway.  For  this  purpose,  we  can  apply  the  quantifier-elimination  rules,  which 
allow  us  to  remove  quantifiers  of  strict  force  from  the  assertions  and  goals.  The 
output  entries  remain  the  same. 


Rules  (quantifier  elimination) 


assertions 

goals 

7(5) 

A 

8 

A' 

8 

Here  A'  is  obtained  from  A  by  dropping  a  quantifier  of  stria  force, 
either  universal  or  existential,  as  in  the  basic  V-  and  3-elimination  rules. 
Precisely  the  same  rules  apply  to  goals. 


Remark 

In  forming  the  initial  tableau  for  a  recursive  program,  we  introduced  into  the 
initial  tableau  the  induction  hypothesis 


IB 

■I 

which  is  an  abbreviation  of 


(Vu)3 


> f 

then  if  <u)  -<  (a) 

then  j2[u;/(u)] 


The  universal  quantifier  (V  u)  is  of  strict  existential  force,  as  indicated  by  its 
annotation.  Therefore,  by  the  3- elimination  rule,  we  may  drop  this  quantifier,  to 
obtain 


if  obj(u) 
then  if  (u)  <  (5) 

then  Q(u;7(«)] 
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In  fact,  whenever  we  want  to  construct  a  recursive  program,  we  shall  automatically 
remove  the  quantifier  and  include  the  above  row  in  our  initial  tableau. 


THE  INDUCTION  RULE 

The  well-founded  induction  principle  is  used  in  forming  the  initial  tableau  for  a 
recursive  program,  in  which  we  include  the  induction  hypothesis  among  our  initial 
assertions.  Nevertheless,  we  may  wish  to  use  the  principle  at  subsequent  stages  of 
the  derivation.  For  this  purpose,  we  can  apply  the  usual  induction  rules,  which, 
extended,  have  no  effect  on  the  output  entries.  We  present  only  the  extended 
well-founded  induction  rule. 


Rule  (well-founded  induction) 


assertions 

goals 

m 

s 

obj(r) 

s 

if  obj(u) 

Ihtn  if  u  r 

s 

then  /[u] 

7(r) 

s 

Here  the  required  goal  is  a  closed  sentence,  obj  is  a  unary  predicate 
symbol,  x  is  a  well-founded  relation  over  obj  ,  and  r  is  a  new  constant. 


14.7  REVIEW  OF  PROGRAM  SYNTHESIS 

\ 

At  this  point  we  review  our  basic  synthesis  before  presenting  examples  of  the 
derivations  of  specific  programs. 

In  a  chosen  theory,  we  are  given  a  specification  2[*;  5],  with  input  sorts  obj, 
where  x  and  z  are  the  input  and  output  variables,  respectively.  We  would  like  to 
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construct  a  program  f(x)  =  t[x]  that  satisfies  this  specification,  in  the  sense  that 
the  correctness  condition 

if  (V  obj  =  t[x]j 

then  (V  obj  z)Q[z\  /(x)] 

is  valid  in  the  theory. 

If  we  want  to  exclude  recursive  programs,  we  take  the  following  initial  tableau: 


assertions 

goals 

m 

obj(a) 

fi[S;  z) 

j 

We  include  n  output  columns,  one  for  each  output  variable  z  =  xi,  z-i,  . . .  ,zn. 


If  we  want  to  allow  recursive  programs,  we  take  the  following  initial  tableau: 


assertions 

goals 

/(«) 

7bJ(a) 

if  obj(u) 
then  if  (u)  -<  (5) 

then  Q  [u;  /(«)] 

2[o;  c] 

j 

Whether  we  allow  recursive  programs  or  not,  we  may  include  any  valid  sen¬ 
tences  of  the  theory  as  assertions  of  the  tableau. 

We  include  in  the  primitive  list  the  function  symbols  /  and  any  other  symbols 
that  are  permitted  to  occur  in  the  final  program. 

To  derive  a  program,  we  successively  apply  extended  deduction  rules  to  the 
initial  tableau.  These  rules  add  new  rows  to  the  tableau  while  maintaining  validity 
and  satisfying  terms.  The  derivation  must  continue  until  we  obtain  the  final 
assertion  false  or  the  final  goal  true,  whose  output  entries  7  [a]  are  all  primitive 
expressions.  At  this  point,  we  may  stop  the  derivation. 

Let  tja]  be  obtained  from  f [a]  by  replacing  any  variable  with  an  arbitrary 
primitive  constant.  Then  the  final  program  we  obtain  is 

7(i)  =  <[?] 
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We  have  shown  that  this  program  will  satisfy  the  specification. 

Even  if  we  obtain  a  final  row  with  primitive  output  entries,  we  may  choose 
to  continue  the  derivation.  If  we  again  derive  the  final  assertion  false  or  the  final 
goal  true,  it  may  have  different  primitive  output  entries.  In  this  case,  we  obtain 
a  different  program  meeting  the  same  specification. 

Once  we  have  derived  a  program,  we  may  use  it  in  deriving  other  programs. 
We  extend  our  theory  by  introducing  the  new  axiom 

tf  o6;_(z) 
then  f(x)  =  f[x] 

This  axiom  may  be  included  as  an  assertion  in  the  initial  tableau  for  future 
derivations.  We  may  also  include  the  assertion  that  the  program  does  meet  its 
specification, 

< f  obj(x) 
then  Q[x\  /(x)] 

By  our  correctness  condition,  this  is  a  valid  sentence  of  the  extended  theory. 

Now  that  we  have  reviewed  the  derivation  process,  let  us  illustrate  it  with 
the  derivation  of  a  program. 


FULL  EXAMPLE:  REDHEAD 


In  this  section,  we  present  the  full  derivation  of  the  redhead  program;  fragments  of 
this  derivation  have  already  been  presented.  In  a  family  theory,  for  given  persons 
Zi,  Z2,  and  Z3,  we  are  told  that  x\  is  a  parent  of  Z2,  that  Z2  is  a  parent  of  Z3, 
and  that  Zi  is  redheaded  but  X3  is  not  (we  are  not  told  the  hair  color  of  X2).  We 
are  asked  to  construct  two  programs,  rh  (xi,  X2,  X3)  and  nrh  (xj ,  12,  X3),  to  yield 
two  persons  x,  and  x2,  respectively,  such  that  X]  is  a  parent  of  22  and  that  : ;  is 
redheaded  but  22  is  not.  In  short,  we  are  given  the  specification 


2[xi,  x2;  21,  22]  : 


if  par(x  1,  X2)  and  par(x 2,  X3)  and 
red(x  1)  and  no/red(x3) 
then  pariz i,  z 2)  and 

red(zi)  and  not  red  (^2) 


The  input  sort  for  each  of  the  three  inputs  is  person.  Here  par  and  red  are 
primitive  predicate  symbols.  In  this  theory,  every  element  is  of  sort  person.  This 
is  expressed  by  the  simplification 


person(u)  =>  true. 
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(If  we  were  dealing  with  a  combined  theory,  we  would  not  include  this  simplifica¬ 
tion.) 

We  shall  derive  a  nonrecursive  program.  ((  capital  heads,  A,  G  numbers  )) 


The  initial  tableau  is: 


Note  that  the  initial  assertion  A1  is  immediately  simplified  to  the  trivial  assertion 
irse.  By  the  if-splH  rule,  followed  by  the  and- ap  tit  rule: 


Note  that  the  output  entries  z\  and  z2  have  been  dropped  from  the  assertions, 
because  they  have  no  occurrences  of  these  variables. 


By  the  resolution  rule  applied  to  A3  and  <37,  {zj  «—  oj,  z2  —  a2): 


Note  that  no  conditional  terms  were  formed  in  the  output  entries,  because  only 
one  of  the  required  goals  has  output  entries. 
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if  rtd(a2) 

tf  red  (as) 

(311.  true 

then  aj 

then  a3 

else  at 

else  a2 

Note  the  conditional  terms  have  been  formed  in  the  output  entries,  because  both 
required  goals  have  distinct  output  entries. 


We  have  derived  the  final  goal  true  with  primitive  output  entries.  Therefore 
we  may  stop  the  derivation  and  obtain  a  final  program. 


r*(ii,  x5,  z3)  = 

and 

nrh(xit  x2,  x3)  = 


\if  red(x2) 
then  i2 
{  else  zi 

( if  rtd  (x2) 
<  then  Xg 
[  else  xj 


14.8  FULL  EXAMPLE:  FRONT-LAST 


((  should  this  be  a  section  or  a  subsection?  )) 


In  this  section,  we  present  the  full  derivation  of  a  front-last  program  to  find  the 
string  of  all  but  the  last  character  in  a  nonempty  string,  and  the  last  character 
itself  (see  Problem  [I]7.5). 

In  the  theory  of  strings,  we  are  given  the  specification 
if  not  (x  =  A) 

Q[x;  n ,  2j]  :  Men  stnng(zl)  and  char  (z2)  and 

X  =  Zi  »  2j 


with  input  sort  siring.  ((  box?  )) 

We  shall  derive  a  recursive  program.  Because  there  is  only  one  input,  ((  MB: 
out??  ))  we  may  use  a. well-founded  relation  over  oh},  that  is,  over  string,  rather 
than  over  tuples  of  strings;  in  this  case,  we  take  -<  to  be  -<t«i,  the  taif  relation 
over  strings.  This  is  defined  by  the  axiom 


(V  siring  u,  v) 


U  -<(„<(  v 
(3  char  «;)[«;•  u 


*] 


((  have  we  said  this  is  well-founded?  )) 
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Because  we  are  working  in  a  pure  theory  of  strings,  rather  than  a  combined 
theory,  we  know  that  every  element  is  a  string.  This  is  expressed  in  the  simplifi¬ 
cation 

siriny(u)  =>  true. 


Our  initial  tableau  is  therefore 


Note  that  the  rows  have  been  transformed  by  the  simplification  string(u)  =>  u. 


We  include  in  the  primitive  list  the  basic  symbols  of  the  theory  of  strings  (A, 
head,  tail ,  cAar)  as  well  as  the  function  symbols  front  and  last  themselves. 

We  include  as  assertions  in  the  initial  tableau  certain  axioms  and  valid  sen¬ 
tences  of  the  theory  of  strings,  including  the  above  definition  of  the  tail  relation. 

We  shall  use  the  property 

(V  string  u,  v)  u)  <",V) 

«  out?  )) 

We  shall  need  an  assertion  expressing  the  trichotomy  property 

(V  string  u)(u  =  A  or  char(u)  or  act  (tail(u)  =  A)]  (trichotomy) 

that  is,  every  string  is  either  empty,  consists  of  a  single  character,  or  has  a 
nonempty  tail.  — 

We  can  immediately  decompose  the  goal. 

By  the  if-spltt  rule  applied  to  C2: 
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A3,  not  (a  =  A) 

GA.  charfa)  and 
a  =  zi  * 

Note  that  the  output  entries  zi  and  z j  have  been  dropped  from  row  A3,  because 
they  do  not  occur  free  in  the  assertion. 


THE  CHARACTER  CASE 


We  begin  by  deriving  the  portion  of  the  program  corresponding  to  the  case  in 
which  a  is  a  single  character.  We  focus  on  our  goal  <74  and  use  an  axiom  for 
concatenation. 

Recall  the  lefl-cmptf  axiom  for  concatenation: 


LlHH 


Recall  goal  (74. 


<74.  cisr(ij)  and 

*i 

it 

a  =  z\  *  *2 

By  the  eyaality  rule,  {*i  «—  A,  u  *-  zj}: 


(75.  cAsr  (r3)  end 

1 - !  + 

A 

Recall  the  rtflezivitp  axiom  for  equality: 


By  the  resolalioa  rule,  {u  <-  o,  ij  «-  a}: 
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Note  that,  by  this  stage,  the  output  entries  for  front(a)  and  last  (a)  have  been 
chosen  to  be  the  terms  A  and  a,  respectively.  In  other  words,  when  cfcar(a)  is 
true,  A  and  a  will  be  suitable  outputs. 


INTRODUCTION  OF  THE  RECURSIVE  CALL 

Let  us  set  aside  goal  G6  for  a  while  and  return  our  attention  to  goal  G4-  We 
again  use  an  axiom  for  concatenation. 


Recall  the  left-prtfiz  axiom  for  concatenation: 


if  char(w) 

then 

|  (to  •  u)  *  v  =  in  .  (u  *  v)J 

Recall  goal  G7: 


G4.  char(zj)  and 

*1 

a  =  zi  *  z2 

By  the  equality  rule,  {*i  <—  w  •  u,  v  «—  *2},  rename  u  to  rj: 


G 7.  char(w)  and 
char(22)  and 

w  ♦  rj 

Zi 

a  =  w  •  z[  *  Z2 

As  a  result  of  this  step,  the  output  entry  for  front(a)  has  been  taken  to 
be  w  •  z[,  where  w  and  z[  have  yet  to  be  selected.  We  now  use  our  induction 
hypothesis  twice  in  succession. 


Recall  our  induction  hypothesis: 

M.  if  u  a 

then  if  not  (u  =  A) 

then  char  (Iasi  (u))  and 

[u  =  |  front(u)  *  last  (u) 


By  the  equality  rule,  right-to-left,  {*',  <-  front  (u),Zz  <—  last(u)): 
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By  the  resolution  rule,  {u  «—  a,  w  <—  head  (a),  u'  «—  tail(a)). 

G10.  not  (a  =  A)  And 

iail(a)  a  And  head(a).  .  .  . 

not  (iail(a)  =  A)  and  front  (t a, 1(a))  *«<(<“*(“)) 


Recall  the  sort  property  of  head : 

1/  not  (u  =  A) 

Men  I  char(head(u))  I 


By  the  resolution  rule,  {u  <—  a}: 


G4.  not  (a  =  A)  and 
tail(a)  -<t aii  a  and 
not  (tail(a)  —  A) 


Aead(a)» 
front  (tail(a)) 


last(tai/(a)) 


FINISHING  THE  NON-CHARACTER  CASE 

We  now  show  that  the  well-founded  relation  Xto.i  does  indeed  hold  between  the 
argument  tail(a)  and  the  original  input  a.  We  then  use  goal  G9,  which  we- had 
developed  and  set  aside. 

Recall  the  toil  property  of  the  tail  relation: 

if  not  (u  =  A) 

Men  fatf(u)  -tlmi  u 

Recall  goal  Gil: 


Gil.  not  (a  =  A)  and 
~ioil(a)  a  | 

and 

not  ( taiH,a )  =  A) 


head(a) • 
front  [iail(a)) 


last  (tail(a)) 
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{(  repeat  Gil?  )) 

By  the  resolution  rule,  {u  «—  a}: 


C12.  not  (a  =  A)  and 

|~not  (tail(a)  =  A)  [* 


hcad(a) • 
front(tait(a)) 


last(tail(a)) 


Recall  the  trichotomy  property: 


u  =  A  or  char(u)  or  |  not  (iail(u)  =  A) 


By  the  resolution  rule,  {u  «—  a}: 


/( - — 1-  \ 

not  a  =  A  0r 

G 13  \cAor(a)  ) 

and 

hcad(a) • 
fronl(tail(a)) 

tast(tail(a)} 

■ 

not  |  a  =  A 

Recall  assertion  A3: 


M  1 

By  the  resolution  rule  {  }: 


■ 

G14.  not  char(a) 

head(a) • 
front  (tail(a)) 

last  (tail(a)) 

COMBINING  THE  TWO  CASES 


Recall  our  previous  goals  G6  and  G14: 


G6.  |  cftar(q)  |+ 


A 


a 


G 14.  not 


kead(a)t 

front  (tait(a)) 


last(ta>I(a)) 
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By  the  resolution  rule,  {  }: 


G 18.  true 


if  char(a) 
then  A 
else  head(a)» 

front  (tail(a)) 


if  char(a) 
then  a 

tlst  (as((laj((a)) 


At  this  point  conditional  terms  have  been  formed  in  the  output  column, 
because  the  goals  (79  and  (717  both  have  output  entries. 


We  have  derived  the  final  goal  true  with  primitive  output  entries.  Therefore, 
we  may  stop  the  derivation  and  obtain  the  final  program 

{if  char(z) 
then  A 

else  head(x)  •  front  (tail(z)) 

and 

{if  char(z) 
then  x 

else  lasi(tail(x )) 

({  exercise:  reversing  a  string.  See  S0L14  file  )) 


14.9  FULL  EXAMPLE:  FLATTENING  A  TREE 


In  this  section,  we  present  the  full  derivation  of  a  program  for  flattening  a  tree. 
This  is  actually  an  example  of  program  transformation,  because  we  are  given  oBe 
method  of  computing  a  function  and  we  derive  Mother  one.  The  reader  will  recall 
that  we  have  defined  by  the  following  axioms  a  function  flattree  (Section  [I] 8  4 ) , 
which  takes  a  tree  as  its  argument  and  yields  the  string  of  all  its  atoms: 

(V  atom  u)[flattree  (u)  =  u]  (atom) 

(V  tree  y,  u)[/?a«ree  (u»v)  =  flatiree  (u)*flattree(v)]  (construction) 


Here  •  is  the  tree  construction  function  and  *  is  the  string  concatenation  function. 

These  axioms  are  computationally  suggestive;  they  provide  a  method  for 
computing  the  function. 
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This  example  illustrates  two  points.  First,  we  have  observed  that,  in  proving 
a  theorem,  it  may  be  necessary  to  prove  a  more  general  theorem,  so  as  to  have 
the  benefit  of  a  stronger  induction  hypothesis.  This  often  occurs  when  the  proof 
is  part  of  the  derivation  of  a  program.  In  that  case,  the  program  we  derive  from 
the  proof  of  the  more  general  theorem  is  used  as  a  “subprogram”  by  the  main 
program,  which  we  derive  from  the  proof  of  the  given  theorem. 

The  example  also  illustrates  the  use  of  a  combined  theory  in  program  deriva¬ 
tion.  The  program  is  applied  to  a  tree  and  yields  a  string;  therefore,  we  must  work 
in  a  combined  theory  of  trees  and  strings.  In  the  combined  theory,  we  identify 
the  atoms  of  the  trees  with  the  characters  of  the  strings;  this  is  expressed  by  the 
axiom 

(V  u)[ci«r(u)  =  afom(u)]  ( character-atom ) 


The  specification  for  the  new  program  flattnel(z)  is  simply 
Ci[x;z]:  z  =  flattnt  (z) 

In  other  words,  the  flattntX  program  is  to  yield  the  same  result  as  the  given 
flattnt  program.  We  shall  take  obj  to  be  free. 

'We  shall  not  include  the  function  symbol  flattnt  itself  in  the  primitive  list. 
This  will  ensure  that  we  cannot  obtain  a  flattntX  program  that  relies  on  the 
flattnt  program.  We  shall  also  omit  the  concatenation  function  symbol  *  from 
the  primitive  list;  this  will  force  us  to  express  the  new  program  in  terms  of  the 
prefix  function  •  rather  than  the  leas  efficient  concatenation  function. 

To  conduct  this  derivation,  we  must  first  derive  a  more  general  program 
flattnt2(z i ,  z j),  to  meet  the  specification 

Ql[*l.  *al  *]  :  *  =  /Istiree  (*i)  *  zj 


We  take  X]  to  be  a  tree  and  xj  to  be  a  string;  that  is,  our  input  sorts  are 
free  and  string,  respectively.  {{  out?  )}  This  generalization  step  is  not  done  by 
any  rule  of  the  system;  we  assume  that  the  generalized  specification  is  supplied 
to  us. 

Before  we  begin  the  derivation  of  flattni2,  let  us  see  how  it  will  enable  us  to 
complete  the  derivation  of  flatintX. 


THE  DERIVATION  OF  FLATTREE1 

The  program  for  /faff reel  will  not  be  recursive.  We  may  therefore  take  our  initial 
tableau  without  an  induction  hypothesis,  as  follows: 
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assertions 

goals 

flattreel(a) 

.  A2.  tree(a) 

- 

G2.  z  =  flattree  (a) 

2 

Because  our  theory  is  a  combined  theory  of  trees  and  strings,  rather  than  a  pure 
theory,  we  must  retain  sort  conditions,  such  as  tree  (a),  to  distinguish  between 
the  two  sorts  of  elements  tree  and  string. 


Assuming  that  the  derivation  of  flattreel  has  been  successful,  we  may  include 
in  the  initial  tableau  for  flattreel  an  assertion  that  flattreel  does  indeed  meet  its 
specification,  namely 


A3.  if  tree(ii)  and  string(xj) 

then  flatlree2(xu  Xj)  =  flattree  (x\)  *  x? 


For  this  derivation,  we  include  flattreel  but  not  flattreel  or  flattree  in  the  primitive 
list. 


We  first  obtain  a  special  case  of  the  above  assertion  by  invoking  a  property 
of  concatenation.  This  result  will  be  useful  in  establishing  the  initial  goal. 


Recall  the  right-empty  property  of  concatenation: 


if  5<rin^(ti) 

■ 

then 

|  u  *  A 

=  u] 

1 

Recall  assertion  A3: 


A3,  if  <ree(*i)  and  jfn'ny(xj) 


then  flattree 2(xi,  xj)  =  \  flattree  (xi)*_zj 


By  the  equality  rule,  {u  «—  flattree  (xi),  xj  «—  A},  and  removal  of  a  sort 
condition. 
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1 

> 

! 


i 


Recall  goal  <72: 


By  the  resolution  rule,  {*i  •—  o,  z  «—  flatirce2(a,  A)},  and  removal  of  sort 
conditions: 


atnng(jUttrrt  (a))  and 
tree(a)  and  atnny(A) 


/lattice  2(a,  A) 


We  have  obtained  the  final  goal  true  with  a  primitive  output  entry.  This 
completes  the  derivation  of  /Isttrcel;  we  may  extract  the  program 

flsttnel(z)  =  fUUnt2(z,  A) 


Remark  (flattru  is  not  primitive) 

If  the  function  symbol  /lattice  had  been  taken  to  be  primitive,  we  could  have 
completed  the  derivation  more  easily,  but  the  result  would  not  have  been  useful. 

Recall  goal  G2  and  the  nflexhitj  axiom  for  equality: 


By  the  resolstion'  rule,  {r  «-  /lattice (o), u  «—  /lattrve(a)}: 


(73'.  <me  _ |  /lattice  (a) 

-If  the  symbol  /lattice  is  primitive,  we  may  conclude  the  derivation,  obtaining 
the  final  program 

/iattreel(z)  =  fltHret(z). 
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This  program  satisfies  the  specification  z  =  flaUree  (x),  of  course,  but  we  have 
not  transformed  the  given  program  flattree  as  we  had  intended.  When  flatiree  is 
excluded  from  the  primitive  list,  we  are  prevented  from  stopping  the  derivation 
at  this  stage. 


THE  DERIVATION  OF  FLATTREE2 


Now  let  us  present  the  derivation  of  flatiree2.  We  are  given  the  specification 
*j;  *] :  *  =  flattrec  (*i)  »  ij 

where  the  input  sorts  are  tree  and  string,  respectively. 

The  program  for  flattree2  will  be  recursive.  Because  there  are  two  inputs,  a 
tree  and  a  string,  we  must  take  our  well-founded  relation  -<  to  be  over  2-tuples 
(that  is,  pairs)  of  sort  free  and  string.  In  this  case,  we  shall  take  -<  to  he  <ri(chM), 
the  first  projection  of  the  child  relation,  defined  by  the  axiom 


(V  free  m,  ui) 
(V  siring  uj,  112) 


(«!,  “2>  -<»,(£* iU) 
«1  ^  child  vl 


( first  projection) 


In  other  words,  the  two  subtrees  left  (»)  and  right  (v)  are  the  two  children  of 
the  nonatomic  tree  ti.  ((  shown  to  be  well-founded?  )) 


Our  initial  tableau  is: 
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assertions 

goals  flatlree2( 

Al.  trcc(a i)  and  rirtny(aj) 

A2.  if  (ui.uj)  -<r,(ckM)  (ai.ar) 

then  if  tree(ut)  and  jtnny(uj) 

then  ^attree2(ui,us)  =  flattree  (ui)  *  uj 

G3.  z  =  /lolttee(ai)  *  aj  1  z 

Recall  that  we  include  flattntl  itself  in  the  primitive  list,  but  neither  flattree 
nor  the  concatenation  function  x'y. 


THE  ATOMIC  CASE 

We  begin  with  the  portion  of  the  derivation  that  pertains  to  the  case  in  which 
the  first  input  di  is  an  atom.  We  focus  our  attention  on  the  initial  goal. 


Recall  the  stem  axiom  for  flattree: 


if  atom(u) 

then  flattree  (u)  =  u| 

G3.  z  =  flattree  (ai )  |  *  02 

z 

By  the  eysality  rule,  {u  <—  Oi}: 


G 4.  aiom(ai)  and 

2  ~  1  °ig* 


Recall  the  character  property  of  *: 


if  chsr(u)  and  etriny(v) 
-  then  |  u  «  v  |  =  u  •  vj 


By  the  eyaaltty  rule,  {u  «—  oi,  v  aj}  and  removal  of  sort  conditions: 
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Recall  the  rtflextvH y  axiom  for  equality: 


By  the  resolution  rule,  {u  <—  01  •  a2,  z  <—  ai  •  02}: 


As  a  result  of  this  step,  the  output  has  been  l alien  to  be  ai  •  02. 
Recall  the  character-atom  axiom  for  the  combined  theory: 


By  the  equivalence  rule,  {u  «—  ai}: 


Let  us  set  this  goal  aside  for  a  while. 


DECOMPOSITION  OF  THE  INPUT 


The  balance  of  the  derivation  concerns  the  case  in  which  ai  is  nonatomic.  In  this 
case,  we  may  decompose  01  into  its  two  components. 

Recall  jjbal  G3: 


Recall  the  decomposition  property  of  trees: 
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if  iree(v) 

then  if  not  atom(u) 

then  |~u~|  =  left  (u)  •  right  (u)J 


By  the  egualit)  rule,  {u  <—  ai},  and  removal  of  a  sort  condition: 


(78.  not  stom(ax)  and 

j  z  =  \  flattree(lefl  (ai)  •  right  (ai))  \  *  a2 

z 

Recall  the  constructor  axiom  for  flattne: 


if  Iree(u)  and  tne(v) 

then  flattne  (see)  =  flattne  (u)  •  flattne  (v) 

■ 

■ 

Biy  the  eguehtg  rule,  {u  «—  left  (01),  v  ♦—  right  (ai)},  and  removal  of  a  sort 
condition: 


G9.  not  etom(ai)  and 

z  =  (  (flattne  (left  (arf)  o  flattne  (right  (at )))  »  a2  | 


Recall  the  uMctattvtiy  property  of  concatenation: 


if  string(u)  and  zinng(v)  and  rtring(w) 

=  u  *  (»  *  u»)j 


then 


(u  «  v)  *  Ul 


By  the  eyae/ity  rule,  {u  <—  flattne  (left  (at)) ,  v  <—  flattree  (right  (at )) ,  id 
aj},  and  removal  of  sort  conditions: 


■ 

.  (710.  not  atom(ai)  and 

>1 

z  —  flattne  (left  (ai))  *  (flaitrec  (right  (aj))  *  oj) 

INTRODUCTION  OE  THE  RECURSIVE  CALL 


We  are  now  in  a  position  to  use  our  induction  hypothesis.  This  will  result  in  the 
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appearance  of  a  recursive  call  in  the  output  column. 


Recall  the  induction  hypothesis: 

A2.  if 

then  if  tree(tii)  and  sirinj(tij) 

then  |/Jal/ree2(ui,uj)  =  flattree  (ui )  *  u3 


Recall  goal  G10: 


G 10.  not  atom(ai)  and 

z  =  flattrce(lcft  (ai))  *  |  fluttrte(rigki  (ai))  *  dj 

By  the  equality  rule,  right- to-left,  {uj  «-  right  (ai),  u3  <—  aj},  and  removal 
of  sort  conditions: 


Gil. 


[right  (aj),  a2)  -<„(CMid)  (oi,  o2>  and 
not  atom(a \)  and 

I  z  =  flatiree(left  (ai))  *  flatiret2(rtghi  (oi),  a7) 


t 


l+ 


Recall  the  induction  hypothesis,  again: 


A2.  if  (Ul.Uj)  (oi><»3) 

then  if  trec(vi)  and  string( uj) 

then  1  /?attrec2(ui ,  uj)  =  flattree  (uj)  *  tij 
\  " — — — —————— — 


By  the  resolution  rule,  {ui  *—  left  (ai),  uj  flattrec2(ngkt  (ai),  aj),  z  «— 
flattrec2(left(ai),  flattree2(right  (oj),  a3))},  and  removal  of  sort  conditions: 
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Note  that,  as  a  result  of  this  step,  we  have  introduced  two  nested  recursive  calls 
into  the  output  entry 


ESTABLISHING  THE  WELL-FOUNDED  RELATION 


We  now  show  that  the  argument  pairs  for  the  recursive  calls  are  “less  than”  the 
given  argument  pair  (aj,  aj),  with  respect  to  our  selected  well-founded  relation 
-<*i (duM)-  We  use  properties  of  the  first-projection  and  child  relations. 

Recall  the  definition  of  the  first-projection  relation  and  goal  G 12: 


string (flattrtc2(nght  (a\),  aj))  and  /Jaftree2(nyA((a1),  a2)) 

(right (at),  aj)  -<„(„*,«)  (at ,  oj)  and 
not  stom(ai) 


By  the  equivalence  rule,  {ui  «—  left(o\),  uj  <—  flattreei  (right  (ai),  aj),  vi  «— 
ai,  V]  «-a]},  and  removal  of  sort  conditions: 
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G 13.  left  (oj)  <ch*id  oi  and 

|  string  (flattrce2  (right  (at),  a2))  |* 

flattree%(left(a\ ), 

|  (rigAt  (ai),  a2)  -<r, (child)  (<H,  oj) 
and  not  aiom(ai) 

flattree2(nght(a\),  a2)) 

Contrary  to  our  habit,  we  have  not  automatically  removed  the  sort  condition 
string(fiattrec2(right(a\),  a]));  the  removal  of  this  condition  is  unusual  in  that 
it  requires  the  induction  hypothesis. 

Recall  the  induction  hypothesis; 


A2.  if  (ui,  uj)  -<Xl(ca,M)  (ai%2) 

then  if  Iree(ui)  and  string (u2) 

then  string(flattree2(ui,u^)) 


and 


flattree2(ui,  u2)  =  ftattree  (ui)  *  u2 


By  the  resolution  rule,  {ui  *-  right(ax),  u2  •—  a2),  and  removal  of  sort 
conditions: 


1 

G14. 

left  (a2 )  ^ child  ai 

and 

1 

(right  (a, ),  a2) 
~4wi(chiid) 

(°I.  ®2) 

and 

fiattree2(left  (u[), 

flattree2(nght  (oi),  a2)) 

1 

not  aiom(ai) 

We  now  invoke  properties  of  the  first-projection  and  child  relations. 
Recall  the  definition  of  the  first-projection  relation: 


if  tree(ui)  and  stnng( u2)  and 
trce(vi)  and  string(vj) 

|\{“1>U2)  -<»,(cA.M)  (vii  u2) 

then  - 

Ui  -< child  Vl 


By  the  equivalence  rule,  {ui  •—  right  (ai),  u2  •— o2,  *—  ai ,  v2  «—  03},  and 

removal  of  sort  conditions: 
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G15. 


I  left  (ai )  -< child  <*i 


and 


(  right  (gt)  -ickiU  ai  |*  and 


flattrec2(left  (ai), 

ftattrte2(ngkl(ai),  q2)) 


not  atom(ai ) 


Recall  the  left  and  right  properties  of  the  chili  relation: 


if  lree(u)  sad  not  atom( u) 
then  left(u)  ~<ehM  u  | 

if  iree(ti)  sad  not  sfom(a) 
then  |  right  (a)  ~<chM  u  | 

By  two  applications  of  the  retolniion  rule,  {u  <—  ai},  and  removal  of  sort 
conditions: 


C16.  not  s<0tn(ai) 


flattree2(left  (at), 

flattrcc2(right  (at),  a2)) 


THE  FINAL  STAGE 


We  now  use  the  earlier  goal,  which  we  developed  and  set  aside. 
Recall  goals  016  and  G 7: 


■ 

flattree2(left(ai), 

flattne2(right  (a,),  oj)) 

■ 

Oi  •  0] 

By  the  re  retortion  rule,  {  }: 
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G 17.  true 

if  atom(ai) 
then  a\  •  a2 
else  fiattree2(left  (m), 

flattree2{nght («i ),  02)) 

At  this  stage  a  conditional  term  has  been  introduced  into  the  output  column. 

We  have  obtained  the  final  goal  true  with  a  primitive  output  entry.  Therefore, 
we  may  conclude  the  derivation  and  obtain  the  program 

{if  atom(zi) 
then  z i  .  x2 

else  flattree2(left(zi),  flattree2(rijhi  (xi),  12)) 
This  program,  combined  with  the  program  we  obtained  bom  the  first  derivation, 
fiattnel(zi)  =  /foffree2(xj,  A) 

gives  us  an  alternative  method  for  computing  the  fiattree  function. 


PROBLEMS 


Problem  (sex) 

Consider  the  extension  of  the  family  theory,  in  which  every  person  is  either 
male  or  female,  that  is, 

(V  person  u)[sei  (u,  male)  or  sez  (u,  female)]  (sex) 

fn  this  theory,  give  the  full  derivation  of  a  program  s(x)  =  f(x]  to  find  the  sex  of 
a  given  person,  that  is,  to  meet  the  specification 

C[x;  r)  :  sez  (x,  z), 

where  the  in|tut  sort  is  person. 


Solution  (sex) 

Ftom  the  specification,  we  form  the  initial  tableau 


Chapter.  14:  Program  Synthesis 


assertions 

goals 

s(a) 

1.  person  (a) 

2.  1  sex  (a,  z)  | 

Z 

the  sex  axiom: 


if  person  (u) 

then  \  sez  (u,  male) 

or  sex  (u,  female ) 

■  By  the  resolution  rule,  {u  <—  a,  z  •—  male),  removal  of  sort  condition. 
((  use  no((i/  7  then  §)  ^  /  and  not  Q  as  a  simplification?  }) 


3.  not  l  sez  (a,  female) 

male 

•  By  the  resolution  rule,  {*  «—  female) 


m 

if  sex  (a,  female) 
then  female 

Hi 

else  male 

We  have  obtained  the  final  goal  <r»e  with  a  primitive  output  entry.  Therefore 
we  may  extract  the  program 

( if  sez  (r,  female ) 
s(z)  =  <  then  female 
l  else  male 


Problem  (reverse) 


In  the  theory  of  strings,  suppose  we  are  given  a  program  reverse  (u)  to  reverse 
a  string  u  (Section  [I]7 .4)  in  the  form  of  two  axioms. 

reverse  (A)  =  A  (e mpty) 


(V  string  u,  v) 


if  char(u) 

then  reverse  (u»u) 


reverse  (v)  •  u 


(prefii) 


Here  u  •  v  is  the  prefix  function  (where  u  is  a  character)  and  V]  *  v?  is  the  con¬ 
catenation  function 


Problems 
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(a)  Derive  a  program  reverse 2(ii ,  y~)  for  reversing  a  string  x  and  concatenating 
the  result  and  the  string  y. 

This  program  must  meet  the  specification 

Qi[xi,  X2 ;  2]  :  z=  reverse  (it  )*  x2 

where  the  input  sorts  0 bj .  and  obj2  are  both  string. 

(b)  Use  this  program  in  the  derivation  of  a  program  reverSel(x)  (more  efficient 
than  reverse)  for  reversing  a  stri  This  program  must  meet  the  specification 

zj :  2  =  reverse  ( x ) 

The  program  for  reverse 2  derived  in  part  (a)  of  the  problem  may  be  included  in  the 
tableau  as  an  axiom.  Also,  the  property  that  this  program  meets  its  specification, 
that  is, 

(V  string  «i,  «2) [reverse2(ui ,  u2)  =  reverse  (uj)  »  U2] , 


may  be  included. 


